British Columbia unveils Significant Changes to FIPPA including new data sovereignty rules – Lexology

On October 18, 2021, the Government of British Columbia introduced Bill 22 (the “Bill”)[1] to amend the Freedom of Information and Protection of Privacy Act (“FIPPA”),[2] which governs how public bodies in British Columbia collect, use, store and disclose personal information. When presenting the Bill in British Columbia’s Legislative Assembly, Minister of Citizens’ Services Lisa Beare stated that the Bill responds to the need for safe and convenient online services and aims to enhance privacy protection and ensure that government can provide a level of service that keeps pace with new technology.

The Bill includes amendments that, if passed, would significantly change privacy regulation under FIPPA. Notably, the Bill would:

  • eliminate the prohibition on disclosing, storing and allowing access to personal information outside of Canada;
  • introduce a requirement that public bodies develop a privacy management program;
  • introduce a requirement that public bodies that experience a privacy breach notify affected individuals and the British Columbia Information and Privacy Commissioner (the “Commissioner”) where a privacy breach could be reasonably expected to result in significant harm; and
  • introduce new privacy offences, including where a person willfully collects, uses or discloses personal information except as authorized by FIPPA.

This blog post will explore each of these proposed amendments included in the Bill in greater detail. We do not discuss the data-linking and freedom of information-related amendments that are also in the Bill.

Data Sovereignty Requirements

Currently, under sections 30.1[3] and 33.1[4] of FIPPA, public bodies are not permitted to disclose, store or allow access to personal information outside of Canada, except in narrow and defined circumstances. Taken together, the general rule is that public bodies may only engage service providers, such as cloud hosting service providers, that store personal information in Canada, or obtain consent from each individual whose information the public body collects, to store or access such personal information outside of Canada. These restrictions, combined with the fact that many service providers do not have a physical presence in Canada, have limited the ability of public bodies in British Columbia to access a broader market of service providers.

If passed, the Bill would entirely repeal the prohibition on disclosing, storing and allowing access to personal information outside of Canada. Instead, a public body may disclose personal information outside of Canada if the disclosure is in accordance with the regulations, if any.[5] While draft regulations regarding transfers of data outside of Canada have yet to be released, taking restrictions on transfers of personal information out of legislation and moving them to regulations may allow the Government of British Columbia to act more nimbly in the currently dynamic environment of privacy regulation.[6] Independently of the amendments to section 33.1, amendments to section 33(2)(u) require any processing of information outside of Canada to be temporary where a public body relies on that section to permit the necessary disclosure of personal information for processing of information. The implications of the amendments to section 33(2)(u) and their interaction with the amendments to section 33.1, remain to be seen.

These amendments are consistent with the spirit of the temporary relaxation of data sovereignty requirements introduced in March 26, 2020, when the Minister of Citizens’ Services issued Ministerial Order M085 (the “Order”)[7]. The Order, temporarily and for limited purposes, permitted public bodies to disclose personal information outside of Canada for limited purposes through third party tools and applications. It was designed to allow public bodies to deliver digital services throughout the COVID-19 pandemic. It is unclear whether the Order, now set to expire on December 31, 2021,[8] will be extended further.

The amendments to the data sovereignty requirements have been met with opposition from the Commissioner, who wrote: “What is exceedingly troubling however, is that government now proposes to allow public bodies to send British Columbians’ personal information outside Canada without explaining how they will properly protect it.”[9] However, it is notable the FIPPA will still require public bodies to protect personal information in their control or custody by making reasonable security arrangements against risks such as unauthorized collection, use, disclosure or disposal.[10] Accordingly, while the changes in the Bill would provide public bodies with more flexibility in where personal information is stored and accessed from, public bodies will still be required to ensure the personal information is protected through reasonable security measures, which could include contractual and technical solutions such as encryption.

The Bill also brings FIPPA into closer alignment with public sector privacy legislation from other provinces. Currently, in all provinces except Newfoundland and Labrador,[11] Nova Scotia,[12] and Quebec,[13] there are no additional restrictions on provincial public bodies disclosing, storing or allowing access to personal information outside of Canada or the applicable province.

Privacy Management Program Requirements

The Bill proposes a new requirement for public bodies to develop a privacy management program. Under the proposed section 36.2, the privacy management program must be prepared in accordance with the directions of the Minister of Citizens’ Services, yet to be released.[14]

Commenting on this addition the Commissioner stated: “I welcome the new requirements relating to privacy impact assessments, the new privacy breach notification rules, and the duty for public bodies to have privacy management programs.”[15] The Commissioner already provides guidance to public bodies on privacy management programs, in its “Accountable Privacy Management in BC’s Public Sector” publication,[16] which may inform the requirements under FIPPA.

Privacy Breach Notification Requirements

The Bill also proposes a new privacy breach notification requirement on public bodies. Under the proposed section 36.3, if personal information in the custody of or under the control of a public body is stolen or lost, or collected, used or disclosed without being authorized by FIPPA, the head of the public body must notify the affected individual without unreasonable delay if the privacy breach could reasonably be expected to result in significant harm to the individual. The public body is also required to notify the Commissioner in such circumstance.

The significant harm contemplated by the section includes identity theft, bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, negative impact on a credit record, or damage to or loss of property.[17] Specific exceptions are carved out of the notification requirement if notifying the individual of the privacy breach could reasonably be expected to result in immediate and grave harm to the individual or another individual’s safety, physical health or mental health.

As noted above, the Commissioner supports the proposed privacy breach notification requirements; however, the Commissioner also suggested that an additional exception to the requirement be made where disclosure of the breach could compromise a criminal investigation. He also stated that such an exception would be “consistent with similar provisions elsewhere.”[18] Currently, Saskatchewan, Ontario, Newfoundland and Labrador, Yukon, Northwest Territories, and Nunavut have similar provisions that require public bodies to notify commissioners and affected individuals when personal information is stolen or lost, or collected, used or disclosed without authorization,[19] although the exact wording, timing of notification, and threshold for harm vary across the jurisdictions.

Privacy Offences

The Bill proposes the creation of part 5.1 to address offences under FIPPA, including the introduction addition of “snooping offences”. If the Bill is enacted, the willful collection, use, disclosure or failure to notify the head of the public body of an unauthorized disclosure of personal information, except as authorized under FIPPA, would be an offence. This offence expressly applies to service providers and employees or associates of service providers, but also applies to other individuals. Notably, the Bill states that service providers themselves commit an offence if their employee or associate commits a snooping offence.

The Commissioner welcomed the creation of snooping offences stating that such offences “do occur and must be deterred or punished appropriately”[20] but expressed concern that the proposed amendments do not go far enough. Specifically, he suggested that the provision should explicitly make “viewing” and “accessing” personal information, except as authorized under FIPPA, an offence as well. These additions would make it entirely clear that “an individual’s mere observation of personal information is a collection of that information” and therefore, an offence.[21]

Other jurisdictions in Canada already have introduced snooping offences into their relevant public sector privacy legislation. Each of Alberta, Saskatchewan, Newfoundland and Labrador, Prince Edward Island, Northwest Territories, Yukon, and Nunavut prohibit the collection, use or unauthorized disclosure of personal information, except as authorized under the relevant statute.[22]

Conclusion

At this point, the Bill has only received second reading in British Columbia’s Legislative Assembly so the language is yet to be finalized. However, the amendments proposed signal that the Government of British Columbia recognizes that the existing data sovereignty requirements are too inflexible for public bodies seeking access to a broad global market of potential service providers, and that there are opportunities for enhancing privacy protection through the introduction of new privacy offences, privacy breach notification and privacy management program requirements.

To view all formatting for this article (eg, tables, footnotes), please access the original here.