Privacy commissioner details concerns about FOIPPA amendments

It took B.C. information and privacy commissioner Michael McEvoy seven pages to detail his concerns about Bill 22, Freedom of Information and Protection of Privacy Amendment Act, including his “overriding concern” about what the proposed legislation lacks: details about how its myriad amendments will work in practice.

McEvoy issued an open letter to Citizens’ Services Minister Lisa Beare yesterday containing a line-by-line analysis of the legislation and its faults as well as a few “constructive changes” proposed by the bill.

Much of the legislation’s function is set to be determined “through regulations, about which we know nothing,” McEvoy noted.

The NDP government is essentially telling legislators, stakeholders and the public, “trust us, we’ll come up with something,” McEvoy told BC Today.

“How can you actually intelligently vote on something like that, when you don’t know what’s being put in its place because those regulations are not going to be debated in the legislature,” he said.

Many of the concerns flagged in McEvoy’s letter relate to the regulatory lack, an omission he urges the government to address by publishing draft regulations for public comment.

“At the very least, it is imperative that my office be consulted on the draft regulations, as soon as they are available, as their content will provide the crucial legal substance on data residency protections and other important matters,” he wrote.

While the proposal to add filing fees to Freedom of Information requests has been the focus of most criticism of the bill so far, Bill 22 makes a suite of other changes to the way public bodies store private information.

B.C. is about to go from a situation where allowing private data collected by public bodies to be stored outside of Canada — say on a cloud server based in the U.S. — is “almost completely prohibited to completely throwing the doors wide open without any safeguards around that change,” according to the commissioner.

“[There] is nothing in terms of guardrails, of provisions that would ensure that public bodies have to consider the consequence of sending information outside of Canada if that’s what they want to do,” McEvoy told BC Today. “[There’s] no requirement for them to do an analysis of what kind of information they have, what kind of information they are going to send away from Canada, where they are going to send it.”

While the April 2020 ministerial order issued by Beare’s predecessor “was a relaxation of the rules” around keeping private data inside the country, “provisions were put in place to ensure that if technology tools were going to be used in the education sector or in the health sector that those were done in a proper appropriate way that was going to protect people’s information,” McEvoy said.

The commissioner is “completely in favour of innovation and using services that are going to benefit British Columbians and public bodies,” but “you have to do them in the right way, and that’s the issue that we’re talking about here, ensuring that they’re done in the right way.”

McEvoy said the NDP’s legislation “is without any independent oversight” requirements on data residency practices.

“In fact, the legislation does not even require there to be regulations in place,” he told BC Today. “If the minister has something that she believes is going to do the job, then it strikes me she has an obligation to put that out into the public sphere before legislators vote on whether to get rid of this prohibition on data being disclosed outside of Canada.”

The bill also makes changes to rules around data-linking — creating links between records from different sources to make them more useful or easier to understand. It’s an area on which public bodies are required to consult McEvoy’s office before implementing their own practices.

“Bill 22 leaves the details of how data-linking activities are to be conducted to regulations, about which we have no details,” the commissioner wrote. “These regulations must include rules and requirements for data-linking programs that bring transparency to these activities and include protections that are common in other provinces.”

Another feature of the bill that concerns the privacy commission is the removal of the Office of the Premier from the list of public bodies covered by Schedule 2 of the Freedom of Information and Protection of Privacy Act. The NDP government’s argument appears to be that the premier “is a minister and therefore his office is a ministry” covered by Schedule 1 of the act — an assertion that is far from clear-cut, per McEvoy.

“This is not, with respect, clear in law or constitutional convention, and this change would introduce, at the very least, uncertainty in the application of the law,” he wrote. “Moreover, I am not aware of any harm flowing from retaining this designation, which obviously begs the question as to why the change is being made when the outcome is, again, not as clear as I am told government believes it is.”