Bill 22, the Freedom of Information and Protection of Privacy Amendment Act, would bring in new privacy breach notification rules, create an offence for interfering with access to information requests and also take action against “snooping,” where public sector staff access information without authorization.
Minister of Citizens’ Services Lisa Beare said the amendments to the Freedom of Information and Protection of Privacy Act (FIPPA) will “help people continue to access the services they need faster while ensuring their privacy is protected” and are necessary because of the rapid development in technology over the past few years.
“The COVID-19 pandemic changed the way we live, work, connect with loved ones and access the services we need. Today, people can safely talk to their doctor via Zoom, learn online and do business faster,” she said. “We’re making changes today to keep pace with advancements in technology and provide the level of service that people expect in the digital era.”
But the bill has been met with red flags from provincial information and privacy commissioner Michael McAvoy, who has written a letter to the government raising concerns that the substance of many of the key amendments will be filled through future regulations “about which we know nothing.” He wrote that this is particularly problematic due to the government’s decision to remove a requirement in FIPPA which legislates that personal information of B.C. citizens to be stored in and only accessed from within Canada.
“It is crucial for government to disclose now what it intends to do to protect the personal privacy of British Columbians whose personal information may be exported outside Canada,” McAvoy wrote. “The issues at stake — particularly respecting the data residency amendments — are too important, and meaningful debate depends on everyone knowing what is intended.”
Daniel Reid, Harper Grey LLP
“And the government has said that can all be filled in with regulation — but the real concern is where is that regulation? It should not be a matter of saying just trust us,” he said. “We added data residency requirements in 2004 because of concerns that Canadian information could be accessed under the U.S. Patriot Act, but there has been an explosion of data since then. There may be valid reasons why having a strict data residency requirement is just no longer feasible, but the need for those protections and the rationale for those protections haven’t gone away — in fact, it has been heightened.”
And a coalition of civil society groups has also raised alarm bells about the bill. The coalition, which consists of organizations such as the B.C. Freedom of Information and Privacy Association (FIPA), the B.C. Civil Liberties Association (BCCLA) and the Sierra Club, says the bill will “undermine access to information and make public bodies less transparent” and is a “step backwards for openness and accountability.” It is calling for the bill to be withdrawn and allow for the all-party special committee which is statutorily required to review FIPPA to complete its work.
FIPA president Mike Larsen said he had significant concerns around the inclusion of filing fees for information requests and the bill removing the premier’s office from the schedule of public bodies covered by the legislation “which is a remarkable step in terms of walking back transparency.”
“I think it is deeply problematic to remove the highest elected office in the land from the scope of the legislation. And creating a financial disincentive for transparency rights is also a step backwards,” he said. “For a long time, B.C. has stood its ground and not had a filing fee, but that kind of disincentive will create barriers, particularly for people who are less well resourced in the filing of access requests.”
Larsen said there were several positives in the bill, particularly the privacy breach notification rules, but those tended to be outweighed by the negatives.
“It is difficult for Canadian jurisdictions to hold foreign jurisdictions to account on breaches of personal information which are held abroad. We want to have information held in a jurisdiction where Canadian courts and institutions can easily get at it in the context of a breach,” he said. “Look at the Clearview AI case — there were massive investigations by a lot of people in Canada but ultimately not much in the way of change, in part because of that different jurisdictional issue and in part because of a lack of order making powers. So, moving our data away from areas where we have control over it has always been problematic.”
Bill 22 passed second reading at the B.C. Legislative Assembly Oct. 26. In an e-mail, a representative from the Ministry of Citizens’ Services said that the government “values the meaningful consultation that has occurred with the information and privacy commissioner in our 20 meetings with him and his office.”
“We have included many items in this package and revised others that respond directly to the commissioner’s recommendations and feedback,” the representative said. “The bill is now before members of the legislature and we will await the outcome of their debate and vote.”
If you have any information, story ideas or news tips for The Lawyer’s Daily please contact Ian Burns at Ian.Burns@lexisnexis.ca or call 905-415-5906.