On November 25, 2021, amendments to B.C.’s Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165 (“FOIPPA”) came into force through Bill 22-2021. The three notable changes I’ll document here are are the data-residency provisions, adding fees to freedom of information (FOI) requests, and monetary penalties for privacy breaches.
I’ll start with the elephant in the room. Until this year, we had an excellent protection in public privacy law that required public organizations to keep the personal information of British Columbians accessed and stored on Canadian soil. The B.C. NDP has stripped that rule, and now your personal information can be stored on any foreign soil the government chooses. They insinuate they have a protection mechanism called a privacy impact assessment (PIA) to mitigate the risk, but these are weak and easy to circumvent if you’re malicious or economically incentivized to circumvent.
What does this means as a citizen? What if your mental or sexual health data is stored on American or Saudi Arabian soil, by a government that may change from ally to foe in an election cycle, and that information is accessed by a malicious actor? What recourse do you have a citizen have? What assurance do you have, that you would even know if a government official in that country secretly accessed the personal files of your children, if your student/school information is stored on Russian or Chinese servers?
I have absolutely no confidence this change in data-residency will do anything but increase the rate and severity of British Columbians personal information being compromised. It’s already being compromised regularly on Canadian soil with little recourse or repercussions, why on earth would we choose to trust it in jurisdictions where the individual/citizen has no authority to challenge the privacy or security of their data?
We’ve also seen the erosion of freedom of information over the last decade from the B.C. Liberals and now the B.C. NDP, making it harder and harder to access information that we as a society have agreed should be free and accessible in 30 days. The government is consistently ignoring the 30 days response time, sometimes to years, and with the new amendments they’ve added a mandatory non-refundable $10 fee [PDF], creating more barriers to access for the less financially privileged.
Finally, monetary penalties for breaches have been increased up to $50,000 CAD. This sounds good, except when you consider how little 50k is to a large organization, and now we just have 50k as a cost of doing business to allow privacy weaknesses into a system. Consider the budget of even a remote health authority, 50k is a rounding error. Penalties should be a notable percentage of a given budget. It’s also worth considering who is responsible, and who is paying? If this is taxpayer money, paying for a privacy violation of a bureaucrat who has switched roles and holds no personal accountability, the idea of monetary penalties on a public institution is silly.
What we are witnessing is the real-time intentional erosion of privacy, protection of identity and personal information of British Columbians, and lack of access to information by the present NDP government. Unfortunately there is little non-commercial journalism left in B.C. to hold them to account, so they were allowed to slip this through with no reflection from the public at large or the privacy advocates and activists in the province.
We are all less safe as a result.