On October 18, 2021, the Government of British Columbia introduced Bill 22 (the “Bill”)[1]to amend the Freedom of Information and Protection of Privacy Act (“FIPPA”),[2] which governs how public bodies in British Columbia collect, use, store and disclose personal information. When presenting the Bill in British Columbia’s Legislative Assembly, Minister of Citizens’ Services Lisa Beare stated that the Bill responds to the need for safe and convenient online services and aims to enhance privacy protection and ensure that government can provide a level of service that keeps pace with new technology.
The Bill includes amendments that, if passed, would significantly change privacy regulation under FIPPA. Notably, the Bill would:
- eliminate the prohibition on disclosing, storing and allowing access to personal information outside of Canada;
- introduce a requirement that public bodies develop a privacy management program;
- introduce a requirement that public bodies that experience a privacy breach notify affected individuals and the British Columbia Information and Privacy Commissioner (the “Commissioner”) where a privacy breach could be reasonably expected to result in significant harm; and
- introduce new privacy offences, including where a person willfully collects, uses or discloses personal information except as authorized by FIPPA.
This blog post will explore each of these proposed amendments included in the Bill in greater detail. We do not discuss the data-linking and freedom of information-related amendments that are also in the Bill.
Data Sovereignty Requirements
Currently, under sections 30.1[3] and 33.1[4] of FIPPA, public bodies are not permitted to disclose, store or allow access to personal information outside of Canada, except in narrow and defined circumstances. Taken together, the general rule is that public bodies may only engage service providers, such as cloud hosting service providers, that store personal information in Canada, or obtain consent from each individual whose information the public body collects, to store or access such personal information outside of Canada. These restrictions, combined with the fact that many service providers do not have a physical presence in Canada, have limited the ability of public bodies in British Columbia to access a broader market of service providers.
If passed, the Bill would entirely repeal the prohibition on disclosing, storing and allowing access to personal information outside of Canada. Instead, a public body may disclose personal information outside of Canada if the disclosure is in accordance with the regulations, if any.[5] While draft regulations regarding transfers of data outside of Canada have yet to be released, taking restrictions on transfers of personal information out of legislation and moving them to regulations may allow the Government of British Columbia to act more nimbly in the currently dynamic environment of privacy regulation.[6]Independently of the amendments to section 33.1, amendments to section 33(2)(u) require any processing of information outside of Canada to be temporary where a public body relies on that section to permit the necessary disclosure of personal information for processing of information. The implications of the amendments to section 33(2)(u) and their interaction with the amendments to section 33.1, remain to be seen.
These amendments are consistent with the spirit of the temporary relaxation of data sovereignty requirements introduced in March 26, 2020, when the Minister of Citizens’ Services issued Ministerial Order M085 (the “Order”)[7]. The Order, temporarily and for limited purposes, permitted public bodies to disclose personal information outside of Canada for limited purposes through third party tools and applications. It was designed to allow public bodies to deliver digital services throughout the COVID-19 pandemic. It is unclear whether the Order, now set to expire on December 31, 2021,[8] will be extended further.
The amendments to the data sovereignty requirements have been met with opposition from the Commissioner, who wrote: “What is exceedingly troubling however, is that government now proposes to allow public bodies to send British Columbians’ personal information outside Canada without explaining how they will properly protect it.”[9]However, it is notable the FIPPA will still require public bodies to protect personal information in their control or custody by making reasonable security arrangements against risks such as unauthorized collection, use, disclosure or disposal.[10] Accordingly, while the changes in the Bill would provide public bodies with more flexibility in where personal information is stored and accessed from, public bodies will still be required to ensure the personal information is protected through reasonable security measures, which could include contractual and technical solutions such as encryption.
The Bill also brings FIPPA into closer alignment with public sector privacy legislation from other provinces. Currently, in all provinces except Newfoundland and Labrador,[11] Nova Scotia,[12] and Quebec,[13] there are no additional restrictions on provincial public bodies disclosing, storing or allowing access to personal information outside of Canada or the applicable province.
Privacy Management Program Requirements
The Bill proposes a new requirement for public bodies to develop a privacy management program. Under the proposed section 36.2, the privacy management program must be prepared in accordance with the directions of the Minister of Citizens’ Services, yet to be released.[14]
Commenting on this addition the Commissioner stated: “I welcome the new requirements relating to privacy impact assessments, the new privacy breach notification rules, and the duty for public bodies to have privacy management programs.”[15] The Commissioner already provides guidance to public bodies on privacy management programs, in its “Accountable Privacy Management in BC’s Public Sector” publication,[16] which may inform the requirements under FIPPA.
Privacy Breach Notification Requirements…
Pinterest faces EU privacy complaint over tracking ads
When it comes to privacy nightmares, Pinterest is unlikely to be the first social app that…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
