Colin Bennett logo white

Blog Post:

Submission to Special Committee to Review the B.C. Personal Information Protection Act (PIPA)

  1.  Stronger protections for special categories of sensitive data.   The risks to individuals are highest when particularly sensitive forms of data are processed, and contemporary privacy legislation (including the GDPR) imposes special obligations for the processing of sensitive categories of personal data.   In the GDPR, those special categories are defined as data revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data; health; sex life or sexual orientation.  Modern privacy legislation recognises that sensitive categories of data require stronger protections and that organizations should take into consideration the sensitivity of the data when processing such data.   PIPA should contain similar provisions. 
  1. Stronger protections for the processing of personal data on children:   There is nothing in PIPA that refers to the protection of personally identifiable data on children.   The Bill surely should prohibit the tracking of personal information on children, without the express consent of parents.  PIPA should include a section similar to that in s 16 of Bill 64: The personal information concerning a minor under 14 years of age may not be collected from him without the consent of the person having parental authority, unless collecting the information is clearly for the minor’s benefit.  I would also note that many corporate privacy policies include special sections on marketing to children.  The Canadian marketing association also has special guidance in marketing to children and teens.[32]   This should not be a controversial reform.

In conclusion, the committee should not fall into the trap of thinking that revisions to PIPA which strengthen the privacy of British Columbians will inevitably impose more compliance costs on business, and particularly SMEs.  Good privacy protection enhances consumer trust, and that is in the interest of business.   Contemporary privacy legislation recognizes that complementarity, and strives to establish the rights of the individuals and the obligations of the accountable organization in ways that recognize the mutually reinforcing interests of both. 


[1] Colin J. Bennett, Canada’s new Consumer Privacy Protection Act:   Will it be Adequate?  Privacy Laws and Business International Report, Issue 169 (February 2021).  

[2] Office of the Information and Privacy Commissioner of BC, Supplemental submission to the Special Committee to Review the Personal Information Protection Act (PIPA).  February 23, 2021 at:  https://www.leg.bc.ca/content/CommitteeDocuments/42nd-parliament/1st-session/pipa/2021-02-23_OIPC_Supplementary_Submission.pdf

[3] Colin J. Bennett, The Council of Europe’s Modernized Convention on Personal Data Protection:   Why Canada Should Consider Accession,   CIGI Paper No. 246, November 30, 2020 at:  https://www.cigionline.org/publications/council-europes-modernized-convention-personal-data-protection-why-canada-should

[4] Greenleaf, Graham, Global Data Privacy Laws 2021: Despite COVID Delays, 145 Laws Show GDPR Dominance (February 11, 2021). (2021) 169 Privacy Laws & Business International Report, 1, 3-5, UNSW Law Research, Available at SSRN: https://ssrn.com/abstract=3836348 or http://dx.doi.org/10.2139/ssrn.3836348

[5] See, Colin J. Bennett, One set of rights for Europeans, a lesser one for Canadians:  Why the Canadian Consumer Privacy Protection Act and the GDPR should be in alignment, at: https://www.colinbennett.ca/blog/one-set-of-privacy-rights-for-europeans-a-lesser-one-for-canadians-why-the-canadian-consumer-privacy-protection-act-and-the-eus-general-data-protection-regulation-should-be-in-alignment/

[6] European Data Protection Board, Working Document on Adequacy Referential (Revised 6 February, 2018) at: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614108

[7] Graham Greenleaf, GDPR creep for Australian businesses but gap in laws widens,  154 Privacy Laws and Business International Report, (June 2018) at:  https://papers.ssrn.com/abstract_id=3226835

[8]Microsoft recognises that: the European Union’s General Data Protection Regulation (GDPR) sets a new bar globally for privacy rights, information security and compliance…Microsoft is committed to its own compliance with the GDPR, as well as to provide an array of products, features, documentation and resources to support our customers in meeting their compliance obligations under the GDPR.   At:   https://docs.microsoft.com/en-ca/legal/gdpr

[9] Google asserts that compliance with the GDPR is a top priority for Google Cloud and our customers.  At:  https://cloud.google.com/security/gdpr

[10] Apple has a privacy governance framework as part of its Human Rights Policy which is heavily influenced by the GDPR.   And they state that: as part of our GDPR and human rights work, we undertake Privacy Impact Assessments (PIA) of our major products and services and integrate PIAs as we develop new products and services.    At: https://www.apple.com/legal/privacy/en-ww/governance/

[11] Shopify, the Canadian commerce platform, which serves businesses globally, has adopted a privacy policy which is explicitly framed around the legitimate interests framework in the GDPR.  And it complies with several provisions of the GDPR, including that on automated decision-making.  https://www.shopify.com/legal/privacy

[12] Bank of Montreal, for instance, acknowledges that “your Personal Data may be accessed by staff or suppliers in, transferred to, and/or stored in a country outside the EEA, in which data protection laws may be of a lower standard than within these jurisdictions. Regardless of location, we will impose the same data protection safeguards that we use inside the EU, the EEA, or the UK.”   At: https://capitalmarkets.bmo.com/media/filer_public/e3/64/e364c324-4276-4df6-a618-cfdb019f38af/bmo_euprivacycodeen_final-ua.pdf

[13] https://www.rbc.com/privacysecurity/ca/global-privacy-notice.html

[14] https://www.aircanada.com/ca/en/aco/home/legal/privacy-policy.html#/ae-information-eu

[15] https://all.accor.com/security-certificate/index.en.shtml?utm_medium=accor_brands_websites&utm_source=fairmont&utm_campaign=fairmont

[16] Colin J. Bennett, Canada’s new Consumer Privacy Protection Act:   Will it be Adequate?  Privacy Laws and Business International Report, Issue 169 (February 2021), at:    https://www.colinbennett.ca/canadian-privacy/canadas-new-consumer-privacy-protection-act-bill-c-11-will-it-be-adequatei/

[17] Office of the Privacy Commissioner of Canada, Submission of the Office of the Privacy Commissioner of Canada on C-11 at: https://www.priv.gc.ca/en/opc-actions-and-decisions/submissions-to-consultations/sub_ethi_c11_2105/

[18] Statement from the Privacy Commissioner of Canada following the tabling of Bill C-11 at:  https://www.priv.gc.ca/en/opc-news/news-and-announcements/2020/s-d_201119/

[19] Teresa Scassa, New Privacy Bill is a data protection reset for Canada, Policy Options, November 24, 2020.  

[20] https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/

[21] European Data Protection Board (EDPB) Working Document on Adequacy Referential.

[22] https://www.dataprotection.ro/servlet/ViewDocument?id=1087  page 10 and 4th bullet point on page 17

[23] Masao Horibe, The Realization of Mutual Adequacy Recognition between Japan and the EU and Issues Raised in the Process, Global Privacy Law Review, Vol. 1, Issue 3. 

[24] https://www.thecma.ca/resources/maintaining-standards/marketing-to-children-and-teens

[25] https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/r_o_p/02_05_d_19/

[26] European Data Protection Board (EDPB), Recommendations 02/2020 on the European Essential Guarantees for Surveillance Measures.  November 10, 2020 at: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf

[27] BC Freedom of Information and Privacy Association (FIPA),  British Columbians want action on privacy protection:  Polling results (June 4, 2020) at: https://fipa.bc.ca/category/libraries/publications/publication-types/surveys-and-polling/

[28] Fasken Bulletin, Privacy Reform:   Back to the Drawing Board for C-11 (June 9, 2021) at: https://www.fasken.com/en/knowledge/2021/06/privacy-reform-back-to-the-drawing-board-for-c-11

[29] OIPC Submission (September 16, 2020), p. 5. 

[30] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/

[31] Quebec, Bill 64.  An Act to modernise legislative provisions as regards the protection of personal information.   Explanatory Note, p. 3. 

[32] https://www.thecma.ca/resources/maintaining-standards/marketing-to-children-and-teens

  1. Privacy by design and by default:  The GDPR (Art. 25) imposes obligations on data controllers to implement technical and organizational measures to implement data minimisation, and other data protection principles. Also, the controller shall ensure that by default, only personal data which are necessary for each specific purpose are processed.   This obligation extends to the amount of personal data processed, the extent of processing, the period of storage and accessibility.   Quebec’s Bill 64 requires enterprises to ensure that the parameters of the technological products or services they use to collect personal information provide the highest level of confidentiality by default, without any intervention by the person concerned.[31]   I regard these as common-sense measures to implement the principle of data minimisation, and send a strong message to organizations that if they can provide their services without processing masses of PII, then they should.   It is a valuable principle that counters the surveillance by design paradigm that drives contemporary surveillance capitalism. 
  1.  Stronger protections for special categories of sensitive data.   The risks to individuals are highest when particularly sensitive forms of data are processed, and contemporary privacy legislation (including the GDPR) imposes special obligations for the processing of sensitive categories of personal data.   In the GDPR, those special categories are defined as data revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data; health; sex life or sexual orientation.  Modern privacy legislation recognises that sensitive categories of data require stronger protections and that organizations should take into consideration the sensitivity of the data when processing such data.   PIPA should contain similar provisions. 
  1. Stronger protections for the processing of personal data on children:   There is nothing in PIPA that refers to the protection of personally identifiable data on children.   The Bill surely should prohibit the tracking of personal information on children, without the express consent of parents.  PIPA should include a section similar to that in s 16 of Bill 64: The personal information concerning a minor under 14 years of age may not be collected from him without the consent of the person having parental authority, unless collecting the information is clearly for the minor’s benefit.  I would also note that many corporate privacy policies include special sections on marketing to children.  The Canadian marketing association also has special guidance in marketing to children and teens.[32]   This should not be a controversial reform.

In conclusion, the committee should not fall into the trap of thinking that revisions to PIPA which strengthen the privacy of British Columbians will inevitably impose more compliance costs on business, and particularly SMEs.  Good privacy protection enhances consumer trust, and that is in the interest of business.   Contemporary privacy legislation recognizes that complementarity, and strives to establish the rights of the individuals and the obligations of the accountable organization in ways that recognize the mutually reinforcing interests of both. 


[1] Colin J. Bennett, Canada’s new Consumer Privacy Protection Act:   Will it be Adequate?  Privacy Laws and Business International Report, Issue 169 (February 2021).  

[2] Office of the Information and Privacy Commissioner of BC, Supplemental submission to the Special Committee to Review the Personal Information Protection Act (PIPA).  February 23, 2021 at:  https://www.leg.bc.ca/content/CommitteeDocuments/42nd-parliament/1st-session/pipa/2021-02-23_OIPC_Supplementary_Submission.pdf

[3] Colin J. Bennett, The Council of Europe’s Modernized Convention on Personal Data Protection:   Why Canada Should Consider Accession,   CIGI Paper No. 246, November 30, 2020 at:  https://www.cigionline.org/publications/council-europes-modernized-convention-personal-data-protection-why-canada-should

[4] Greenleaf, Graham, Global Data Privacy Laws 2021: Despite COVID Delays, 145 Laws Show GDPR Dominance (February 11, 2021). (2021) 169 Privacy Laws & Business International Report, 1, 3-5, UNSW Law Research, Available at SSRN: https://ssrn.com/abstract=3836348 or http://dx.doi.org/10.2139/ssrn.3836348

[5] See, Colin J. Bennett, One set of rights for Europeans, a lesser one for Canadians:  Why the Canadian Consumer Privacy Protection Act and the GDPR should be in alignment, at: https://www.colinbennett.ca/blog/one-set-of-privacy-rights-for-europeans-a-lesser-one-for-canadians-why-the-canadian-consumer-privacy-protection-act-and-the-eus-general-data-protection-regulation-should-be-in-alignment/

[6] European Data Protection Board, Working Document on Adequacy Referential (Revised 6 February, 2018) at: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614108

[7] Graham Greenleaf, GDPR creep for Australian businesses but gap in laws widens,  154 Privacy Laws and Business International Report, (June 2018) at:  https://papers.ssrn.com/abstract_id=3226835

[8]Microsoft recognises that: the European Union’s General Data Protection Regulation (GDPR) sets a new bar globally for privacy rights, information security and compliance…Microsoft is committed to its own compliance with the GDPR, as well as to provide an array of products, features, documentation and resources to support our customers in meeting their compliance obligations under the GDPR.   At:   https://docs.microsoft.com/en-ca/legal/gdpr

[9] Google asserts that compliance with the GDPR is a top priority for Google Cloud and our customers.  At:  https://cloud.google.com/security/gdpr

[10] Apple has a privacy governance framework as part of its Human Rights Policy which is heavily influenced by the GDPR.   And they state that: as part of our GDPR and human rights work, we undertake Privacy Impact Assessments (PIA) of our major products and services and integrate PIAs as we develop new products and services.    At: https://www.apple.com/legal/privacy/en-ww/governance/

[11] Shopify, the Canadian commerce platform, which serves businesses globally, has adopted a privacy policy which is explicitly framed around the legitimate interests framework in the GDPR.  And it complies with several provisions of the GDPR, including that on automated decision-making.  https://www.shopify.com/legal/privacy

[12] Bank of Montreal, for instance, acknowledges that “your Personal Data may be accessed by staff or suppliers in, transferred to, and/or stored in a country outside the EEA, in which data protection laws may be of a lower standard than within these jurisdictions. Regardless of location, we will impose the same data protection safeguards that we use inside the EU, the EEA, or the UK.”   At: https://capitalmarkets.bmo.com/media/filer_public/e3/64/e364c324-4276-4df6-a618-cfdb019f38af/bmo_euprivacycodeen_final-ua.pdf

[13] https://www.rbc.com/privacysecurity/ca/global-privacy-notice.html

[14] https://www.aircanada.com/ca/en/aco/home/legal/privacy-policy.html#/ae-information-eu

[15] https://all.accor.com/security-certificate/index.en.shtml?utm_medium=accor_brands_websites&utm_source=fairmont&utm_campaign=fairmont

[16] Colin J. Bennett, Canada’s new Consumer Privacy Protection Act:   Will it be Adequate?  Privacy Laws and Business International Report, Issue 169 (February 2021), at:    https://www.colinbennett.ca/canadian-privacy/canadas-new-consumer-privacy-protection-act-bill-c-11-will-it-be-adequatei/

[17] Office of the Privacy Commissioner of Canada, Submission of the Office of the Privacy Commissioner of Canada on C-11 at: https://www.priv.gc.ca/en/opc-actions-and-decisions/submissions-to-consultations/sub_ethi_c11_2105/

[18] Statement from the Privacy Commissioner of Canada following the tabling of Bill C-11 at:  https://www.priv.gc.ca/en/opc-news/news-and-announcements/2020/s-d_201119/

[19] Teresa Scassa, New Privacy Bill is a data protection reset for Canada, Policy Options, November 24, 2020.  

[20] https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/

[21] European Data Protection Board (EDPB) Working Document on Adequacy Referential.

[22] https://www.dataprotection.ro/servlet/ViewDocument?id=1087  page 10 and 4th bullet point on page 17

[23] Masao Horibe, The Realization of Mutual Adequacy Recognition between Japan and the EU and Issues Raised in the Process, Global Privacy Law Review, Vol. 1, Issue 3. 

[24] https://www.thecma.ca/resources/maintaining-standards/marketing-to-children-and-teens

[25] https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/r_o_p/02_05_d_19/

[26] European Data Protection Board (EDPB), Recommendations 02/2020 on the European Essential Guarantees for Surveillance Measures.  November 10, 2020 at: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf

[27] BC Freedom of Information and Privacy Association (FIPA),  British Columbians want action on privacy protection:  Polling results (June 4, 2020) at: https://fipa.bc.ca/category/libraries/publications/publication-types/surveys-and-polling/

[28] Fasken Bulletin, Privacy Reform:   Back to the Drawing Board for C-11 (June 9, 2021) at: https://www.fasken.com/en/knowledge/2021/06/privacy-reform-back-to-the-drawing-board-for-c-11

[29] OIPC Submission (September 16, 2020), p. 5. 

[30] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/

[31] Quebec, Bill 64.  An Act to modernise legislative provisions as regards the protection of personal information.   Explanatory Note, p. 3. 

[32] https://www.thecma.ca/resources/maintaining-standards/marketing-to-children-and-teens

June, 15th 2021

I gave oral testimony to the committee on the reform of PIPA in June 2020.   Since then, the federal government’s Consumer Privacy Protection Act (CPPA) has been published and critiqued.  I understand that the committee is interested in the relationship between PIPA, the CPPA, (Bill C-11) and the EU General Data Protection Regulation (GDPR).   

I published an analysis of the adequacy of C-11 against the European GDPR standard in February 2021.[1]   This submission is based partially on that analysis.  I begin with a discussion of the importance of the GDPR for Canada, and of the significant gaps between Bill C-11 and the European standard.   The second part of the submission focusses on the implications for PIPA reform, in which I address some of the ideas contained in the February 23rd submission of the Office of the Information and Privacy Commissioner of BC.[2]

The European General Data Protection Regulation:   Why it matters for BC 

The GDPR is the EU-wide set of rules that came into force in 2018 designed to update privacy rules and make them generally compatible with the contemporary digital economy.  It is not the only international framework.  I have contended elsewhere that the Council of Europe’s Convention 108+ offers a more flexible, and exportable, set of standards and Canada should seriously consider accession.[3]

Nevertheless, as the regulatory framework that applies to the world’s largest single trading block, the GDPR has significant influence outside of Europe.  Its global influence is extensive.[4]  Many commentators from all sectors regard it as the gold standard for international privacy protection. It has an influence in Canada and BC in a number of ways:[5]

  • Through the insistence that European fundamental rights to data protection do not stop at the borders of the EU, personal data on Europeans has to be protected wherever it is processed.  For 20 years, Canada has enjoyed the status as a jurisdiction that offers an adequate level of protection for data imported from the EU.   This is significant.  It means that businesses do not then have to negotiate separate contractual arrangements if they want to process personal data on Europeans in Canada.   Recently the standard has been strengthened, as the European Court of Justice has insisted that personal data should only flow outside of the EU to countries whose laws display an essential equivalence to the GDPR.    This means that the law must contain the core information privacy principles, but there must also be effective procedural and enforcement mechanisms: an independent supervisory authority, a good level of compliance, accountability mechanisms and appropriate redress mechanisms for the individual.[6]   
  • The GDPR applies to the processing of personal data about individuals in the EU, regardless of where those data are processed.   Thus, if a BC business offers goods and services to individuals in the EU through their website or app, it applies.  If the business uses cookies on its website or mobile app to capture the IP address of a customer in Europe, it applies.  If a BC service provider processes data on individuals on behalf of European business clients, the GDPR applies.  If a BC business in anyway monitors the behavior of individuals in the EU, the GDPR applies.  
  • Even where a Canadian company does not have clients or customers in the EU, the GDPR could still have downstream effects through the repetition of GDPR standards in contracts throughout the data supply chain.  This ripple effect has been described as GDPR-creep.[7]
  • The GDPR has had a significant influence on our trading partners.  It has served as the model for new privacy laws in countries such as S. Korea, Japan and Brazil. Unlike in 2004, when PIPA was passed, data protection standards are not just being driven by the EU. The more countries that belong to the data protection club the greater the pressure on those without laws to join. And some of those countries, which have been granted adequacy status, are also passing provisions stipulating that personal data should not flow out of their countries unless the receiving jurisdiction has equivalent protections. For instance, the new Japanese data protection    law establishes a white list of countries.  Data protection is not just about flows of personal data from Europe to Canada, therefore, but implicates our trading relationships with other economies, including those in the Asia-Pacific.
  • As a result of the recognition of the global influence of the GDPR, some companies have striven for one harmonized global policy based on that standard.  Examples include Microsoft,[8]  Google, [9] Apple,[10]  Shopify[11] and many others.   The power of the major platforms and cloud-service providers is motivating a general, if incomplete, process of trading-up to the GDPR privacy standard. 
  • Companies that do business in Europe must ensure that they apply GDPR standards to data transferred out of Europe.  We see these commitments made by Canadian banks.[12]  This means that some companies have to distinguish between the rights afforded to Europeans and those of Canadians.   For instance, the GDPR guarantees citizens the right to port their data from one organization to another. The Royal Bank of Canada explicitly guarantees residents and citizens of the UK or Europe, rights of portability or removal of the personal data that we process about you at any time[13]  And Air Canada’s privacy policy contains a separate section on the rights of members of the European Economic Area (EEA), the UK and Switzerland.   Specifically, some of Air Canada’s data analytics and sharing practices do not apply to these citizens, unless they separately consent to them.  These illustrations indicate that some companies offer one set of rights for Europeans, and another for Canadians.[14]
  • Other Canadian companies are owned by European multi-nationals.  An example is the Fairmont hotel chain owned by the French Accor Group. Accor has instituted a Customer Personal Data Protection Charter, based on ten privacy principles for protecting your personal data in accordance with applicable regulations and in particular the GDPR. [15]

Thus, through both legislative reform efforts in different parts of the world, as well as through the global market effects, the GDPR’s influence has become widespread.   Its provisions cannot be ignored in Canada, or in BC.  Therefore, BC’s new privacy protection framework needs to be in alignment with the GDPR to strengthen the rights of Canadian citizens.  But it also needs to be aligned to assist the Canadian commercial sector.  Privacy rules need to be interoperable. 

Does the Canadian Consumer Privacy Protection Act (Bill C-11) meet the GDPR standard? 

Ascertaining levels of protection in this area of public policy is an inherently tricky and subjective process.  There is no space for a detailed legal analysis.  That said, I have identified a number of areas where questions about Canada’s adequacy status will probably be raised.[16]   The Privacy Commissioner of Canada has published a more comprehensive critique arguing for significant amendment to the current draft of the Bill.[17]    

  • The Federal Privacy Commissioner has argued that, C-11 opens the door to new commercial uses of personal information without consent, but does not specify that such uses are conditional on privacy rights being respected.[18]  Businesses can indeed collect and use personal data without knowledge and consent for a variety of purposes, and they raise questions whether in total they are essentially equivalent to the legitimate purposes allowed in the GDPR. Some repeat consent exemptions in PIPEDA and are relatively uncontroversial.   Others will be controversial.  For instance, businesses are permitted (s. 18(2)e)) to use information if obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual.  An organization may also transfer an individual’s personal information to a service provider without their knowledge and consent (s. 19) or to reduce an organization’s risk (s. 18(2)b).  An organization may also use information without an individual’s knowledge and consent for internal research and development purposes if it is de-identified before it is used (s. 21).   It may also disclose without knowledge or consent to a range of public bodies if it is de-identified, and if it is for a socially beneficial purpose (s. 39). 
  • A related issue concerns the wide latitude to use personal data, provided it is de-identified.  Critics have pointed out that de-identification is a complex and error-prone and evolving process, and that much in the exemptions of consent for these, and other, business operations will need to be carefully specified in regulation.[19]  It is questionable whether de-identification lines up with the concepts of anonymization/pseudonymization in the GDPR.  It is also notable that abuses of these provisions are not further circumscribed by requirements for privacy impact assessments and privacy by design and by default, instruments that have been developed in Canada and exported to jurisdictions like the EU (see below).  
  • The CCPA is still based on a model of individual consent, and in some respects borrows from the Privacy Commissioner of Canada’s recent Guidelines for obtaining Meaningful Consent.[20]   Like the GDPR, the Bill provides some clear requirements for valid consent, and prohibits making consent a condition for the provision of a product or service, and using deceptive practices for obtaining consent.  And consent must be expressly obtained unless the organization establishes that implied consent is appropriate.  Individuals can withdraw their consent at any time.   However, the stipulations for the validity of consent in Section 15(3) are incomplete.  The Privacy Commissioner has pointed out the importance of reinstating the important words in Section 6.1 of PIPEDA: the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.  Organizations have supposedly been implementing this consent standard for 20 years.   It is unclear why it should be changed or diminished.  Relatedly, Section 3 could still permit the kind of meaningless and vague statements of purpose that has plagued privacy protection policy in Canada, and elsewhere.  Those purposes may very well be articulated in plain language but there is no requirement for the purposes articulated to be specified, explicit and legitimate as expressed in the GDPR (Article 5(1)a).   
  • Another issue which will likely raise questions is the absence of any definition in the Bill of sensitive forms of personal data an additional content principle referenced by the European Data Protection Board (EDPB) in its adequacy referential.[21]   Organizations must consider the sensitivity of data in many of their obligations: developing its privacy management program (s. 9(2)); judging the risk of a data breach (s. 12(2)); determining whether express or implied consent are appropriate (s. 15(4); and establishing appropriate security safeguards and techniques of de-identification (s. 74). However, the Government has resisted making a list of special categories of sensitive information, as appear in Article 9 of the GDPR, leaving it to the judgement of the organization, and perhaps future regulation. The clear definition of, and protections for, sensitive forms of personal data was a reason for the rejection of Quebec’s application for an adequacy assessment back in 2014,[22] and was also a key issue in the determination of Japanese adequacy.[23]   Leaving the specification of sensitivity to the organization could lead to specious arguments about certain types of data not being sensitive.   Furthermore, we have several findings by the Privacy Commissioner over the years on this issue most recently on the capture of sensitive biometric data by Clearview AI.  
  • Neither is there any specific reference in the Bill to the protection of data about children.  Privacy law surely should prohibit the tracking of personal information on kids, without the express consent of parents.  There is nothing in the CPPA similar to that in s 16 of Quebec’s Bill 64: The personal information concerning a minor under 14 years of age may not be collected from him without the consent of the person having parental authority, unless collecting the information is clearly for the minor’s benefit.  I would also note that many corporate privacy policies include special sections on marketing to children.  The Canadian marketing association also has special guidance in marketing to children and teens.[24]   This should not be a controversial reform.
  • A further issue of perennial concern in adequacy assessments will be the question of the onward transfer of personal data beyond Canadian borders.  Nowhere in the CCPA is there a clear section on transborder data flows, as appears in the extensive Chapter 4 of the GDPR.  The rules for onward transfers are dotted around several sections of the CCPA.  In essence, the Bill retains the accountability or organization-to-organization approach of PIPEDA.  The organization which transfers the data must ensure by contract or otherwise, that the service provider provides substantially the same protection of the personal information as provided under this Act.  But, (s.19), an organization may transfer an individual’s personal information to a service provider without their knowledge or consent.  Where personal data is processed offshore, and especially in countries whose commitments to human rights and democracy are questionable, businesses should at least be required to conduct a privacy impact assessment.  
  • There will be a lingering question about the definition of a commercial activity defined in CPPA as any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, taking into account an organization’s objectives for carrying out the transaction, act or conduct, the context in which it takes place, the persons involved and its outcome.   PIPEDA defined commercial activity as “…any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”   The Privacy Commissioner had issued guidance on how PIPEDA applies to charitable and non-profit organizations to the extent that they were engaged in such commercial activities.[25]   So, there will continue to be questions, in Canada and outside, about the limits of commercial activity, and therefore the scope of the Bill.  (A related issue, and major disappointment, is that the bill does not explicitly apply to federal political parties, as PIPA does in BC).
  • The final huge issue relates to law enforcement and national security access to personal data the essential problem that sank the agreement between the EU and the US (the EU-US Privacy Shield) in the Schrems II decision of the European Court of Justice.  As a member of the Five Eyes network, the question of redress against national security and intelligence services will be prominent in any analysis of Canadian adequacy, and that will lead to analysis of related Canadian laws, such as Security of Canada Information Disclosure Act and the Canadian Security Intelligence Service Act.   The European Data Protection Board has laid out four interlinked essential guarantees that must be considered: clear, precise and accessible rules; necessity and proportionality; independent oversight; and effective remedies.[26]  Thus, the analysis of essential equivalence must venture way beyond the framework in the CCPA (and other provincial laws on commercial privacy protection) to examine public sector access to corporate data at the federal, and provincial, levels. 

In conclusion, I doubt whether the CPPA will pass the test for adequacy administered by the EU without significant amendment.   It will be a major disappointment if our adequacy judgement is rescinded, and the competitiveness of Canadian business affected.    

The Implications for reform of the B.C. Personal Information Protection Act (PIPA)

There have been two statutory reviews of PIPA and nothing has been done to    update the law in 20 years.Despite what you will hear from others about this being a practical statute that balances the rights of the individual with the needs of business, I do not think the law is working particularly well. I see a lot of non-compliance in my daily interactions with businesses in BC. You will have seen a poll from the Freedom of Information and Privacy Association. Only 47% of those polled believe that organizations are open and transparent about how they collect and use personal information. Only 32% were aware of the existence of PIPA.[27] We are living in a world of far greater awareness of privacy as a social and political issue, as well as far higher levels of concern about the lack of individual control over our personal data.

PIPA was written to regulate the simpler bilateral relationship between the individual and a business. A consumer finds an infraction and complains. The Commissioner investigates, mediates or makes an order.Now, our relationships with businesses are a lot more complex, multilateral and opaque. In many cases, we do not even know of the entities that capture data about us in this complex digital environment. In many instances, we are not even aware of how we are being identified, and by whom. Judgements about us are often not made through human intervention but by AI and machine-learning. 

Privacy protection is also a far more important political issue than it was in 2004. As personal data is the main resource of surveillance or informational capitalism, privacy protection goes to the heart of the waythat wealth is now created. Laws like PIPA are not just consumer protection statutes, therefore, they perform central functions in the regulation of the global informational economy and that is why Big Tech companies have spent millions of dollars lobbying against them in different parts of the world.

So, what does this all mean for BC?   How should the BC government take these wider developments into consideration?    I would like to make the following general recommendations about questions that I find particularly compelling, many of which are in support of the recommendations of the BC OIPC.    

  1. Do not wait for the federal bill to be passed.   If a reformed PIPA broadly meets the GDPR standard, it will meet whatever reforms are introduced at the federal level, and will therefore be substantially similar.  Federal privacy protection policy is mired in a range of wider political issues and constitutional considerations.  C-11 has not (at this time) received a second reading in the house, and has not yet been analysed by the House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI).   Recent commentary has suggested that the Bill will go back to the drawing board.[28]
  • Quick fixes won’t cut it.   PIPA’s reliance in a consent with exceptions model follows the PIPEDA model of consent as the main requirement for the legitimate processing of personal data with a lengthy set of exemptions for collection, use and disclosure of personal data without consent.    The adherence to the consent with exceptions model leads to consent fatigue on the part of individuals, and massive confusion about responsibilities in the context of complex and automated data processing operations involving different organizations, many of which may have no direct relationship with the individual.    Consent then becomes less a process to establish the legitimacy of individual transactions, and more a process of collective license.  This is especially the case where laws allow for wide latitude to assume implicit consent (as in PIPA).   The consent with exceptions model is also grounded in the archaic and shifting principle of the reasonable person test (Section 4.1).    As many have observed, if a reasonable person now reasonably believes that he/she will be monitored, then the principle increasingly becomes a meaningless control over illegitimate data processing.   This consent with exceptions model also places a greater burden on small and medium-sized enterprises.   
  • Strengthen the standards for notice and consent.  Where consent is relied upon as the legitimate basis for processing personal data, that consent should be clear, free and informed.  The purposes to which the individual is consenting should be stated in simple language and in such a way that the individual would understand what they are consenting to.  That notice should be separate from other legal notices, such as broader terms of service agreement.  Clear, informed and express consent is particularly important where sensitive categories of data are being processed (see below), as well as where decisions about an individual are made using automated processing.  As the Commissioner has argued (consistent with the GDPR standard), individuals should always be informed when an organization is using automated methods to make a decision about them, and have the right to insist on human intervention. 
  • But do not rely on consent.  The consent model places too much responsibility on the individual. The GDPR, and the national legislation based on the GDPR, take the view that individual consent is just one of the grounds that a business might use legitimately to process personal data.   PIPA should set out a regime grounded on the legal authority for processing personally identifiable data. In addition to consent, other legitimate grounds include:   necessary for the performance of a contract; necessary for compliance with legal obligations; necessary to protect the vital interests of the individual; necessary for the performance of a task carried out in the public interest; and necessary for the purposes of the legitimate interests of the organization subject always to the exception that an organization’s legitimate interests are overridden by the fundamental privacy rights of the individual, when challenged.  The legitimate grounds for processing must also be documented as part of the broader accountabilityrequirements.   Thus, any organization needs to stand ready to demonstrate to any outsider, including the regulator, how they are complying with the law.  
  • Use all the policy tools in the toolbox to strengthen accountability.   Historically, the European approach to privacy has been more prescriptive and based on top-down command and sanction.  But over the years, European states and their data protection authorities have progressively adopted approaches largely pioneered in the Anglo-American democracies (including Canada).   Those approaches include:  privacy impact assessments, privacy by design and default, privacy certification, privacy codes of practice, as well as privacy management accountability.    All those tools are reflected in the GDPR, which displays an interesting mix of regulatory and self-regulatory instruments designed to bolster the accountability of the organization.   They were imported from countries like Canada often with some scepticism from European legal experts steeped in European civil law traditions. Canadian privacy law needs to reflect all the contemporary instruments for the protection of privacy in the modern world.   The scale and complexity of contemporary surveillance requires nothing less. 
  • Stronger privacy protections are required throughout the data-processing chain  The Commissioner is correct that PIPA should be amended to protect personal data transferred to service providers.  These measures are critical to protect the privacy rights of British Columbians when their personal data is being processed by third party processors where ever they may be located.  There are two general approaches to onward transfer regulation organization to organization, or jurisdiction to jurisdiction.   Canada has traditionally adopted the former approach; the European’s adequacy approach reflects the latter.  

PIPA does not speak to this issue explicitly.   There needs to be clear guidance to organizations about their legal responsibilities when they transfer personal data to other organizations for processing, and especially where it is transferred to another jurisdiction.  That should include a combination of contractual and other measures to ensure compliance with PIPA, as suggested in the OIPC submission.   It should also include a requirement that the organization assess the broader privacy and security environment in that jurisdiction.  Quebec’s Bill 64 (Sec. 103) includes a requirement for PIAs to be conducted when an enterprise communicates personal information outside Quebec, considering:  the sensitivity of the information; the purposes for which it is to be used; the protection measures; the legal framework applicable in the state and degree of equivalency to Quebec law.  Although this probably goes too far, the requirement for PIAs (assessing the overall legal framework) is beneficial.   It tells the organization to do due diligence not only about the service provider, but also about the jurisdiction itself and its overall commitment to privacy rights and the rule of law. 

  • Mandatory breach notification:   I fully support the BC Commissioner’s recommendations for a requirement for mandatory breach notification.[29]  Data breaches are now commonplace and can have massive consequences for corporate share prices and reputations.   Data breach notification is now a standard component of international privacy laws. Since 2018, under the federal Digital Privacy Act (amending PIPEDA), every organization that collects, uses and discloses personal information in the course of commercial activity in Canada (with a few exceptions) must follow new mandatory data breach record-keeping, reporting and notification rules, or face significant consequences for non-compliance. B.C. is out of step. Businesses that are responsible for significant data breaches that affectthe rights and interests of citizens should be obliged to report those breaches to the Commissioner, and under some circumstances to the individuals themselves. 
  • Enhanced powers for the Information and Privacy Commissioner:  Complaints resolution, investigation and individual redress are important, but more crucial powers are those that are generaland anticipatory, rather than specific and remedial. The law has to give the Commissioner more powers to act pro-actively, as well as to address systemic issues    using the entire repertoire of policy tools: educational, technological and regulatory. I fully support the Commissioner’s call for the power to issue administrative monetary penalties, when necessary, to enter into compliance agreements and to initiate audits and investigations in the absence of complaints.  Three decades of experience and research have demonstrated that the presence of the regulatory stick often assists the exercise ofsofter instruments of persuasion.
  • Requirement for Privacy Impact Assessments (PIAs):   Under specified conditions (large scale personal data processing, new business models, sensitive data) where there is high risk to the privacy of the individual, organizations should be required to do a PIA and not just a legal compliance check list, but a more comprehensive analysis of the broader risks to the individual.  Organizations should be ready to demonstrate that they have done this analysis, if requested by the Commissioner.   PIAs already form a central part of corporate privacy management programs.   As a critical component of demonstrable accountability, they would seem a natural requirement, and squarely in the interests of the responsible corporation.  PIAs can be required without imposing huge compliance costs on SMEs even though it should be remembered that some SMEs can engage in some highly intrusive surveillance.   The GDPR (article 35) includes a requirement for an organization to conduct a data protection impact assessment (DPIA) where the processing is likely to result in a high risk to the rights and freedoms of natural persons.   The assessment is particularly necessary when new technologies are being deployed.  I would refer you to the recent guidance by the UK ICO under the new UK GDPR.[30]   I think this guidance reflects that kind of approach that could be adopted in BC and Canada.  
  1. Privacy by design and by default:  The GDPR (Art. 25) imposes obligations on data controllers to implement technical and organizational measures to implement data minimisation, and other data protection principles. Also, the controller shall ensure that by default, only personal data which are necessary for each specific purpose are processed.   This obligation extends to the amount of personal data processed, the extent of processing, the period of storage and accessibility.   Quebec’s Bill 64 requires enterprises to ensure that the parameters of the technological products or services they use to collect personal information provide the highest level of confidentiality by default, without any intervention by the person concerned.[31]   I regard these as common-sense measures to implement the principle of data minimisation, and send a strong message to organizations that if they can provide their services without processing masses of PII, then they should.   It is a valuable principle that counters the surveillance by design paradigm that drives contemporary surveillance capitalism. 
  1.  Stronger protections for special categories of sensitive data.   The risks to individuals are highest when particularly sensitive forms of data are processed, and contemporary privacy legislation (including the GDPR) imposes special obligations for the processing of sensitive categories of personal data.   In the GDPR, those special categories are defined as data revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data; health; sex life or sexual orientation.  Modern privacy legislation recognises that sensitive categories of data require stronger protections and that organizations should take into consideration the sensitivity of the data when processing such data.   PIPA should contain similar provisions. 
  1. Stronger protections for the processing of personal data on children:   There is nothing in PIPA that refers to the protection of personally identifiable data on children.   The Bill surely should prohibit the tracking of personal information on children, without the express consent of parents.  PIPA should include a section similar to that in s 16 of Bill 64: The personal information concerning a minor under 14 years of age may not be collected from him without the consent of the person having parental authority, unless collecting the information is clearly for the minor’s benefit.  I would also note that many corporate privacy policies include special sections on marketing to children.  The Canadian marketing association also has special guidance in marketing to children and teens.[32]   This should not be a controversial reform.

In conclusion, the committee should not fall into the trap of thinking that revisions to PIPA which strengthen the privacy of British Columbians will inevitably impose more compliance costs on business, and particularly SMEs.  Good privacy protection enhances consumer trust, and that is in the interest of business.   Contemporary privacy legislation recognizes that complementarity, and strives to establish the rights of the individuals and the obligations of the accountable organization in ways that recognize the mutually reinforcing interests of both. 


[1] Colin J. Bennett, Canada’s new Consumer Privacy Protection Act:   Will it be Adequate?  Privacy Laws and Business International Report, Issue 169 (February 2021).  

[2] Office of the Information and Privacy Commissioner of BC, Supplemental submission to the Special Committee to Review the Personal Information Protection Act (PIPA).  February 23, 2021 at:  https://www.leg.bc.ca/content/CommitteeDocuments/42nd-parliament/1st-session/pipa/2021-02-23_OIPC_Supplementary_Submission.pdf

[3] Colin J. Bennett, The Council of Europe’s Modernized Convention on Personal Data Protection:   Why Canada Should Consider Accession,   CIGI Paper No. 246, November 30, 2020 at:  https://www.cigionline.org/publications/council-europes-modernized-convention-personal-data-protection-why-canada-should

[4] Greenleaf, Graham, Global Data Privacy Laws 2021: Despite COVID Delays, 145 Laws Show GDPR Dominance (February 11, 2021). (2021) 169 Privacy Laws & Business International Report, 1, 3-5, UNSW Law Research, Available at SSRN: https://ssrn.com/abstract=3836348 or http://dx.doi.org/10.2139/ssrn.3836348

[5] See, Colin J. Bennett, One set of rights for Europeans, a lesser one for Canadians:  Why the Canadian Consumer Privacy Protection Act and the GDPR should be in alignment, at: https://www.colinbennett.ca/blog/one-set-of-privacy-rights-for-europeans-a-lesser-one-for-canadians-why-the-canadian-consumer-privacy-protection-act-and-the-eus-general-data-protection-regulation-should-be-in-alignment/

[6] European Data Protection Board, Working Document on Adequacy Referential (Revised 6 February, 2018) at: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614108

[7] Graham Greenleaf, GDPR creep for Australian businesses but gap in laws widens,  154 Privacy Laws and Business International Report, (June 2018) at:  https://papers.ssrn.com/abstract_id=3226835

[8]Microsoft recognises that: the European Union’s General Data Protection Regulation (GDPR) sets a new bar globally for privacy rights, information security and compliance…Microsoft is committed to its own compliance with the GDPR, as well as to provide an array of products, features, documentation and resources to support our customers in meeting their compliance obligations under the GDPR.   At:   https://docs.microsoft.com/en-ca/legal/gdpr

[9] Google asserts that compliance with the GDPR is a top priority for Google Cloud and our customers.  At:  https://cloud.google.com/security/gdpr

[10] Apple has a privacy governance framework as part of its Human Rights Policy which is heavily influenced by the GDPR.   And they state that: as part of our GDPR and human rights work, we undertake Privacy Impact Assessments (PIA) of our major products and services and integrate PIAs as we develop new products and services.    At: https://www.apple.com/legal/privacy/en-ww/governance/

[11] Shopify, the Canadian commerce platform, which serves businesses globally, has adopted a privacy policy which is explicitly framed around the legitimate interests framework in the GDPR.  And it complies with several provisions of the GDPR, including that on automated decision-making.  https://www.shopify.com/legal/privacy

[12] Bank of Montreal, for instance, acknowledges that “your Personal Data may be accessed by staff or suppliers in, transferred to, and/or stored in a country outside the EEA, in which data protection laws may be of a lower standard than within these jurisdictions. Regardless of location, we will impose the same data protection safeguards that we use inside the EU, the EEA, or the UK.”   At: https://capitalmarkets.bmo.com/media/filer_public/e3/64/e364c324-4276-4df6-a618-cfdb019f38af/bmo_euprivacycodeen_final-ua.pdf

[13] https://www.rbc.com/privacysecurity/ca/global-privacy-notice.html

[14] https://www.aircanada.com/ca/en/aco/home/legal/privacy-policy.html#/ae-information-eu

[15] https://all.accor.com/security-certificate/index.en.shtml?utm_medium=accor_brands_websites&utm_source=fairmont&utm_campaign=fairmont

[16] Colin J. Bennett, Canada’s new Consumer Privacy Protection Act:   Will it be Adequate?  Privacy Laws and Business International Report, Issue 169 (February 2021), at:    https://www.colinbennett.ca/canadian-privacy/canadas-new-consumer-privacy-protection-act-bill-c-11-will-it-be-adequatei/

[17] Office of the Privacy Commissioner of Canada, Submission of the Office of the Privacy Commissioner of Canada on C-11 at: https://www.priv.gc.ca/en/opc-actions-and-decisions/submissions-to-consultations/sub_ethi_c11_2105/

[18] Statement from the Privacy Commissioner of Canada following the tabling of Bill C-11 at:  https://www.priv.gc.ca/en/opc-news/news-and-announcements/2020/s-d_201119/

[19] Teresa Scassa, New Privacy Bill is a data protection reset for Canada, Policy Options, November 24, 2020.  

[20] https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/

[21] European Data Protection Board (EDPB) Working Document on Adequacy Referential.

[22] https://www.dataprotection.ro/servlet/ViewDocument?id=1087  page 10 and 4th bullet point on page 17

[23] Masao Horibe, The Realization of Mutual Adequacy Recognition between Japan and the EU and Issues Raised in the Process, Global Privacy Law Review, Vol. 1, Issue 3. 

[24] https://www.thecma.ca/resources/maintaining-standards/marketing-to-children-and-teens

[25] https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/r_o_p/02_05_d_19/

[26] European Data Protection Board (EDPB), Recommendations 02/2020 on the European Essential Guarantees for Surveillance Measures.  November 10, 2020 at: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf

[27] BC Freedom of Information and Privacy Association (FIPA),  British Columbians want action on privacy protection:  Polling results (June 4, 2020) at: https://fipa.bc.ca/category/libraries/publications/publication-types/surveys-and-polling/

[28] Fasken Bulletin, Privacy Reform:   Back to the Drawing Board for C-11 (June 9, 2021) at: https://www.fasken.com/en/knowledge/2021/06/privacy-reform-back-to-the-drawing-board-for-c-11

[29] OIPC Submission (September 16, 2020), p. 5. 

[30] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/

[31] Quebec, Bill 64.  An Act to modernise legislative provisions as regards the protection of personal information.   Explanatory Note, p. 3. 

[32] https://www.thecma.ca/resources/maintaining-standards/marketing-to-children-and-teens