A B.C. legislature committee suggestion that would allow private companies to give police customers’ information without their consent is drawing sharp criticism from civil liberties and privacy groups.
The final report by the Special Committee to Review the Personal Information Protection Act (PIPA), quietly released Dec. 6, noted that the act “recognizes the right of individuals to control access to and the use of their personal information, as well as the need for organizations to collect and use personal information for legitimate and reasonable purposes.”
However, if passed into law by the NDP, one of its recommendations would allow for “the collection, use, and disclosure of information without consent where a reasonable person would agree that the information is required for an investigation or prevention of fraud or criminal activity.”
For government watchdogs, that’s a problem.
“This can make private companies an investigative arm to the state without appropriate safeguards or oversight,” said Meghan McDermott, Civil Liberties Association policy director.
Similarly, B.C.’s Freedom of Information and Privacy Association (FIPA) said the suggestion could blur lines of law enforcement when private companies act in conjunction with the police to advance corporate or business interests without appropriate oversight.
“This recommendation would enable private companies, without consent, to collect, use and disclose the personal information of British Columbians and share it with law enforcement for unspecified investigations,” FIPA executive director Jason Woywada said.
“This is an erosion of civil liberties and privacy,” he said. “It sets a dangerous precedent evidenced in conflicts around BarWatch and TransMountain pipeline protests.”
The committee recommended strengthened provisions regarding employee privacy access requests, including fee schedules, timeframes, enforcement, and consequences of failing to provide access to an individual’s information.
Notably, explained Vancouver McMillan LP firm lawyers Robert Piasentin, Gurp Dhaliwal and Yue Fei in a Dec. 14 commentary, the report recommends updating PIPA to include the concept of “meaningful consent.”
“For consent to be meaningful, the individuals must be fully aware of the nature of the personal information being collected, how it is collected, and what will be done with it,” they said, noting committee concerns about company privacy policies being overly complex, confusing and opaque and allowing over-collection of people’s information.
“Businesses should be prepared to review and update their privacy policies to ensure that they are easily understandable by and accessible to an average person,” the lawyers said
The committee also raised the issue of access to information request fees, a situation that was a lightning rod for criticism when the NDP government proposed and then rammed through amendments to the Freedom of Information and Privacy Act earlier this year.
The committee comprises NDPers Mable Elmore, Garry Begg, Rick Glumac and Kelly Greene, and Liberals Andrew Wilkinson, Dan Ashton, and Green Adam Olsen.
The committee made 34 recommendations, including:
- aligning PIPA with provincial, federal and international privacy legislation
- adding provisions to reflect modern information processing practices and their impact on privacy
- ensuring British Columbians have meaningful control over their information
- explicit protections for sensitive information such as biometric data
- mandatory notification following a significant privacy breach
- enhancing the enforcement powers of the provincial information and privacy commissioner
“Advancements in new technologies, including automated decision‐making and biometrics, are being used with increasing frequency to deliver services that we have all come to rely on,” committee chair Elmore said. “While there are benefits to this, we must also ensure that modernized privacy legislation includes safeguards that reflect this new reality.”
B.C. commissioner Michael McEvoy agreed with the committee’s emphasis on the need to align B.C.’s legislation with the changing federal, provincial and international privacy regimes, including the European Union’s General Data Protection Regulation.
“This consistency will make for more meaningful enforcement of citizen privacy rights while providing a more seamless set of rules for businesses.”
Further, he said, the “recommendation of mandatory breach notification for the private sector is especially important now as modern technologies and business practices facilitate the compilation of ever-increasing amounts of often very sensitive personal information about us.”