BC PIPA Reform: What BC's 2026 Privacy Bill Signals for Private-Sector Businesses
By Yong Du
BC is reforming its public-sector privacy law first. Here's what Bill 9 signals for BC PIPA private-sector reform and what businesses should do now.
BC is reforming its public-sector privacy law — private sector is next
British Columbia tabled Bill 9 — the Freedom of Information and Protection of Privacy Amendment Act, 2026 — in the current legislative session. The bill is a government bill sponsored by the Minister of Citizens' Services and amends FIPPA, BC's privacy law for government ministries, municipalities, school boards, and universities.
Bill 9 does not amend BC PIPA.
BC PIPA — the Personal Information Protection Act that governs private-sector and non-profit organizations — has not been amended and no reform bill or formal review has been announced as of June 2026.
This is the same pattern Alberta followed. Alberta enacted POPA (the Protection of Privacy Act) for public bodies in June 2025, and PIPA reform for private-sector organizations followed through a Standing Committee process with 12 recommendations published in February 2025. BC is at the public-sector stage now.
What Bill 9 actually does
Bill 9 makes amendments to FIPPA across three main areas. All provisions apply exclusively to public bodies — none affect private-sector organizations under BC PIPA.
Modernizing access to information procedures
Bill 9 tightens access request requirements: a request must provide enough detail for an experienced employee to identify the record in a reasonable amount of time. The duty to respond changes from "without delay" to "without unreasonable delay." The OIPC BC gains authority to authorize public bodies to disregard requests that are abusive, malicious, repetitive, or excessively broad.
Connected services provider framework (new s.69.3)
The most significant addition: new section 69.3 allows the Minister of Citizens' Services to designate public bodies as "connected services providers" — entities that can share personal information between government bodies for integrated service delivery. This creates an explicit legal framework for BC government data interoperability across ministries and agencies, with the minister giving directions on what information can be shared, in what format, and under what circumstances.
Regulator coordination and review timelines
The OIPC BC gains explicit authority to exchange information and enter information-sharing agreements with privacy commissioners in other jurisdictions. Review timelines are codified: an inquiry into a matter under review must be completed within 90 days unless the commissioner specifies a later date and notifies the relevant parties.
What Bill 9 signals for BC PIPA
Bill 9 is not a direct BC PIPA reform signal the way Alberta's POPA was — POPA explicitly introduced Privacy Management Programs for public bodies and the OIPC Alberta stated comparable private-sector requirements were forthcoming. Bill 9 does not contain equivalent language directed at private-sector organizations.
What Bill 9 does signal:
The OIPC BC is building inter-jurisdictional capacity. The commissioner's new authority to exchange information and enter sharing agreements with commissioners in other provinces matters for private-sector organizations because it means the OIPC BC will have a direct channel to the OPC and OIPC Alberta. When your organization has a breach that triggers both BC PIPA and PIPEDA, the regulators will be better positioned to coordinate.
BC is modernizing regulatory infrastructure before expanding obligations. Access to information modernization, connected services frameworks, and regulator coordination capacity are administrative prerequisites for a more robust enforcement environment. BC is building the institutional machinery before introducing the obligations.
BC PIPA reform is coming — the timing is uncertain. Every Canadian private-sector privacy jurisdiction is moving toward mandatory breach reporting, defined harm thresholds, and privacy management program requirements. BC PIPA already requires individual notification when RROSH is present. Mandatory regulator reporting is the logical next step. No timeline has been announced.
BC vs. Alberta reform comparison
| BC | Alberta | |
|---|---|---|
| Public-sector reform | Bill 9 (FIPPA amendments) — 2026 | POPA enacted June 2025 |
| Private-sector Standing Committee review | Not announced | 12 recommendations — February 2025 |
| Private-sector government engagement | Not announced | Government survey February 2026; OIPC engagement Spring 2026 |
| Administrative monetary penalties (private sector) | Not announced | Recommended — pending bill |
| Mandatory regulator breach reporting | Currently voluntary | Currently mandatory |
| Privacy Management Program (private sector) | Not yet required | Not yet required — forthcoming |
| Reform timeline | No timeline announced | 2026–2027 expected — no date confirmed |
BC is approximately one reform cycle behind Alberta. Alberta is at "recommendations published, bill forthcoming." BC is at "public-sector bill introduced, private-sector review not announced."
What current BC PIPA requires — the baseline you need now
While BC PIPA reform timing is uncertain, current obligations are not.
Breach notification to affected individuals is mandatory when RROSH is present. This is not voluntary. When a breach poses a real risk of significant harm, you must notify individuals directly and without unreasonable delay. No future reform required — this is the law now.
Voluntary reporting to the OIPC BC is not mandatory under current BC PIPA, but strongly recommended. Organizations with a history of voluntary reporting are better positioned when the OIPC BC investigates a complaint. If the breach also triggers PIPEDA, you must file with the OPC regardless — that mandatory report goes alongside your voluntary OIPC BC report.
Designated privacy contact — BC PIPA's accountability principle requires an individual responsible for compliance. This is a current obligation.
Written privacy policy — BC PIPA's openness principle requires that your organization's privacy practices be available to the public in a form individuals can understand.
Safeguards appropriate to information sensitivity — documented security practices, access controls, and encryption for sensitive personal information.
See BC PIPA Compliance Requirements for the complete current compliance framework.
What to do now
BC PIPA reform is coming — the only open question is timing. Organizations that build their privacy documentation under current BC PIPA will have a direct path to compliance when amendments arrive.
Designate a privacy officer if you have not already. This is a current PIPA obligation, not a future one.
Document your privacy policies and procedures — written policies covering collection, use, disclosure, retention, and disposal of personal information. This is the foundation of any future Privacy Management Program requirement.
Build your breach response procedure — the RROSH threshold and the obligation to notify affected individuals are not changing. An organization without a documented breach procedure has a gap under current BC PIPA.
Review your vendor contracts — if you share personal information with service providers, understand what your contracts require when a breach occurs on their side. Alberta's reform recommendations require formal data processing agreements with vendors; BC PIPA reform is expected to follow.
Monitor OIPC BC communications for any announcement of a BC PIPA review or reform process.
Start your BC PIPA compliance assessment →
Related guides
- BC PIPA Compliance Requirements — what BC private-sector and non-profit organizations must have in place under current BC PIPA
- BC PIPA Breach Reporting Requirements — individual notification is mandatory; regulator reporting is voluntary under current BC PIPA
- Alberta PIPA Reform: What the 12 Recommendations Mean for Your Business — where Alberta's private-sector reform stands — one reform cycle ahead of BC
- What Is Bill C-36? Canada's New Privacy Law — federal reform that BC must align with to maintain substantially similar status
- Which Privacy Law Applies to My BC Business? — when BC PIPA applies, when PIPEDA applies, and when both apply
This guide is based on BC Bill 9 — the Freedom of Information and Protection of Privacy Amendment Act, 2026 — as introduced in the 2nd Session of the 43rd Parliament. Bill 9 amends FIPPA (public-sector law) and does not amend BC PIPA. No BC PIPA amendment bill has been introduced as of June 2026. ClearBreach will update this guide when a private-sector reform bill is tabled.
Frequently asked questions
Has BC PIPA been amended?
No. BC PIPA — the private-sector privacy law — has not been amended as of June 2026. BC's 2026 reform activity (Bill 9) amends FIPPA, BC's public-sector privacy law. No BC PIPA reform bill or Standing Committee review has been announced.
What is BC Bill 9?
Bill 9 is the Freedom of Information and Protection of Privacy Amendment Act, 2026. It amends FIPPA — the law governing BC government ministries, municipalities, school boards, and universities. It does not amend BC PIPA, which governs private-sector and non-profit organizations.
Will BC PIPA require mandatory breach reporting to the OIPC BC?
Not yet. Under current BC PIPA, reporting a breach to the OIPC BC is voluntary — only individual notification is mandatory when RROSH is present. The trend across Canadian jurisdictions is toward mandatory regulator reporting, and BC PIPA reform is expected to follow — but no bill has been introduced.
How does BC compare to Alberta on privacy reform?
Alberta is further along. Alberta's Standing Committee on Resource Stewardship published 12 specific PIPA reform recommendations in February 2025, and the Government engaged with stakeholders through Spring 2026. BC has not announced a BC PIPA review or reform process — it is still at the public-sector reform stage.
What should BC private-sector organizations do now?
Build your privacy documentation under current BC PIPA. Designate a privacy officer, document your privacy policies, build a breach response procedure, and review your vendor contracts. When BC PIPA reform arrives, these foundations make compliance a straightforward update rather than a standing start.
This guide is educational and does not constitute legal advice. It is grounded in the text of PIPEDA, Alberta PIPA, and BC PIPA and published guidance from the OPC, OIPC Alberta, and OIPC BC. If your situation involves regulatory investigation, litigation risk, or circumstances not addressed here, engage a qualified privacy lawyer.