The Right to Data Portability

This is the second in our series on the privacy promises we can expect from a Liberal minority government.

From Innovation, Science and Economic Development Canada’s ‘Digital Charter: Trust in a digital world’, and the Liberal Party of Canada’s election 2019 platform document, ‘Forward: A real plan for the middle class’ (40).

In Canada’s Digital Charter, data portability fits within the fourth principle:

‘Transparency, Portability and Interoperability: Canadians will have clear and manageable access to their personal data and should be free to share or transfer it without undue burden.’

Clear and manageable access

Theoretically, Canadians already have “clear and manageable access” to their personal data.

For federal government institutions, Canadians have a right of access contained within section 12 of the Privacy Act. For private sector businesses, Canadians can submit requests to access personal information under the Personal Information Protection and Electronic Documents Act (PIPEDA).

In British Columbia, access to personal information held by provincial public bodies is realized through section 5 of the Freedom of Information and Protection of Privacy Act (FIPPA). For private businesses within the province, section 23 of the Personal Information Protection Act (PIPA) gives residents this ability.

In theory, the information rights enshrined within these four Acts already gives Canadians “clear and manageable access to personal data”. What’s new then is the ability to “share or transfer it without undue burden.”

What this means, exactly, is not quite as clear.

Sharing and transferring data without undue burden

In their 2019 election platform, the Liberal Party describes data portability as the ability for people to “take their data from platform to platform” (40).

From this, we might assume that someone would have the right to extract all of their data from a platform like Facebook, Twitter, or Snapchat, and transfer it to a new platform that offers a similar service.

Why would someone want to do this? One reason might be that an alternative service provider offers greater privacy protections, which in turn would create greater competition among monopolistic platforms.

This also gives Canadians the opportunity to make meaningful choices about how they share their personal information with platforms.

International models

In the European Union, Article 20 of the General Data Protection Regulations (GDPR) gives residents a right to data portability. This right allows data subjects to receive personal data about themselves from data controllers and transmit that data to other controllers.

The GDPR also ensures that the data is provided “in a structured, commonly used and machine-readable format” and provides the right to have the personal data transmitted directly from one data controller to another.

A major difference between the European Union’s GDPR and Canada’s PIPEDA is that Canada’s private sector privacy legislation frames privacy as data protection and not as a fundamental human right.

What does a humans rights based approach to privacy look like in legislation? Article 4 of the GDPR lists the fundamental rights the Regulation respects, which include:

“[T]he respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and a fair trial, and cultural, religious and linguistic diversity.’

The proposed right to data portability is a significant step towards creating a human rights based approach to privacy in Canada. While it is not as comprehensive as the GDPR, it will give individuals greater autonomy in their ability to control their own personal data.

LifeLabs breach highlights data protection crisis in Canada

Vancouver, December 18, 2019 –  Yesterday, LifeLabs announced a data breach that affects 15 million Canadians. The breach, which primarily impacts clients in BC and Ontario, includes highly sensitive personal information, like medical diagnostic test results and genetic information.

The information was breached on October 28, 2019. LifeLabs has paid an unreported sum to cybercriminals for the return of the data, but it is unknown if copies of the data were made by the cybercriminals. LifeLabs is offering one year of cyber protection monitoring and security insurance to its customers.

This latest breach means that, in a period of just one year, every Canadian has likely been the victim of a data breach or knows someone who has.

According to figures released by the Office of the Privacy Commissioner of Canada, 28 million Canadians have been the subject of a data breach since November 1, 2018. With an additional 15 million Canadians impacted by the LifeLabs breach, that means there were more than 43 million incidents between November 2018 and November 2019.

This situation represents a crisis for privacy and data protection in Canada.

“Canadian privacy laws, both federal and provincial, are simply inadequate,” says Joyce Yan, FIPA’s Interim Executive Director. “They do not and will not protect Canadians from the potential harms that come from our increasingly digital world. Urgent law reform is needed. Every privacy commissioner in Canada needs to have investigatory, order-making, and fining power. Data breaches must be reported to them immediately.”

While breach notification became mandatory at the federal scale last year, it is still not a requirement provincially. As well, it is not required that companies notify individuals when their data has been breached. Public bodies are not required to report breaches at all.

“Private companies must face repercussions for negligent data handling practices,” says Yan. “These should include financial penalties for the company, financial penalties for individuals at the company, possible charges of criminal negligence, and financial compensation for those impacted.”

During an interview, LifeLabs CEO Charles Brown stated that he did not know if the data that was breached was even encrypted.

“This is an unacceptable and irresponsible position for leadership to hold. The head of a company that is entrusted with processing data that relates to the intimate aspects of our lives—our health, wellness, and biology—must be informed about the security measures taken to protect that information,” says Yan.

The Information and Privacy Commissioners for Ontario and BC are investigating the breach and will release a report at that investigation’s conclusion.

Contact:

Joyce Yan, Interim Executive Director

BC Freedom of Information and Privacy Association

Email: fipa (at) fipa.bc.ca

Phone:  604-739-9788

-30-

Statement on Section 22 of Bill 35: FIPPA Reform

From FIPA President Mike Larsen

The introduction of the amendments to B.C.’s Freedom of Information and Protection of Privacy Act (FIPPA) contained in section 22 of Bill 35 demonstrate that the government is willing to move forward on legislative reform.

And as the all-party special committee who reviewed the Act in 2016 found in their 39 recommendations, the FIPPA is definitely in need of reform.

But, when it comes to the proposed amendments to the FIPPA contained in Bill 35, the B.C. Freedom of Information and Privacy Association (FIPA) supports the assessment of the Office of the Information and Privacy Commissioner of B.C. (OIPC).

We are firmly committed to the requirements for local data storage contained within the Act. We do not support amendments to the legislation that function to erode the protections enshrined in the Act. The OIPC assessment of the language in section 22 of Bill 35 as “too permissive” is entirely accurate.

B.C. FIPA is disappointed by the proposed reforms to the FIPPA for the following reasons:

  • The government has made numerous commitments to transparency and privacy that are not achieved by these amendments. They promised comprehensive FIPPA reform in their campaign; they have consulted with the public around FIPPA reform; they have strong recommendations for reform from legislative review and from current and former Information and Privacy Commissioners.
  • We do not support reforms to the Act that weaken existing privacy protections for British Columbians. The proposed amendments deal with exceptions to current outside-of-Canada processing and storage restrictions. To date, this is the only legislative reform that the government has proposed to the FIPPA. Rather than strengthening freedom of information or protection of privacy, the proposed amendments is a qualification of existing rights, and not an expansion.
  • We do not need incremental FIPPA reforms through “Miscellaneous Statute Amendments”. We need a comprehensive overhaul of the FIPPA that is informed by a deep and sincere commitment to updating and expanding the information and privacy rights of British Columbians. This requires vision and leadership.

Despite all of this, the proposed amendments in section 22 of Bill 35 do demonstrate that the government is willing to make reforms to the FIPPA. In the wake of scandal, the challenge for the government will be to realize the possibility of these reforms. The proposed amendments for the FIPPA in Bill 35 are a move that is too little, too late, and in the wrong direction.

The government now has an opportunity to distinguish itself from previous governments by proposing meaningful reform that further the information and privacy rights for British Columbians. They have promised transparency and accountability and it is now time to demonstrate it.

Criminal Investigation into the Conduct of a Former Minister

Vancouver, October 7, 2019 –  The Premier of British Columbia, John Horgan, announced late Friday that he has accepted the resignation of the Minister of Citizens’ Services, Jinny Sims, due to an ongoing RCMP investigation into her conduct. At this time, precise details into the nature criminal investigation of Minister Sims are unknown.

The former Minister of Citizens’ Services oversaw the administration of the freedom of information laws that are contained within the Freedom of Information and Protection of Privacy Act (FIPPA) and the records management practices contained in the Information Management Act (IMA).

During their 2017 campaign, the NDP promised to make reforms to the FIPPA. These included the creation of a duty to document government decisions and the inclusion of this provision within the FIPPA. Instead, the government added this provision to the IMA, which places authority within the former Minister to ensure government accountability. If the provision were to be included in the FIPPA, independent oversight would be given to the Information and Privacy Commissioner of BC.  

“This is a time for the government to move forward with a comprehensive reform of the Freedom of Information and Protection of Privacy Act,” says Sara Neuert, the Executive Director of the BC Freedom of Information and Privacy Association. “This is a necessary step in rebuilding trust with the public, it’s what was promised, and it’s the recommendation of the all-party special legislative committee that reviewed the FIPPA in 2016, former Information and Privacy Commissioner Elizabeth Denham, and current Commissioner Michael McEvoy.”

The former Minister of Citizens’ Services, Jinny Sims, issued a public apology in the spring of 2018 for conduct that contravened BC’s freedom of information laws. In the spring of 2019, a former staff member made several new allegations, which included an accusation that the former Minister continues to break these laws. We will be following the RCMP investigation very closely.

Contact:

Sara Neuert, Executive Director

BC Freedom of Information and Privacy Association

Email: fipa (at) fipa.bc.ca

Phone: 604-739-9788

-30-