Fallen Behind: Canada’s Access to Information Act in the World Context (2nd Edition)

Stanley Tromp has updated his 2008 book, Fallen Behind: Canada’s Access to Information Act in the World Context.

From Stanley Tromp:

The first edition of this book in 2008 detailed how Canada’s Access to Information Act had fallen behind the rest of the world’s FOI laws. Since then, the problem has only grown far worse (enough so that the revised book could well be entitled Fallen Further Behind). 

Cover Page
Fallen Behind cover page

In the authoritative Global Right to Information Rating system of the world’s 128 national laws, Afghanistan ranks number 1, while Canada – which ironically has so worked hard to transform that nation into a modern democracy – ranks 58. Mexico ranks second, followed by (in order) Serbia, Sri Lanka, Slovenia, Albania, India, Croatia, and Liberia.  

In his preface to the new edition, Halifax human rights lawyer Toby Mendel writes, “As someone who travels around the world promoting the right to information, it is frankly a source of profound embarrassment to me how poorly Canada does on this human right.”

Bill C-58 (which is now law) grants the Information Commissioner a barely adequate power to order the government to release records, and this is merely a baby step forward. When will the ATI Act ever be raised to accepted global standards? Canadians should insist upon answers.

Find the update book here.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

NEWS RELEASE: Ministerial Order an exception to the rule

MEDIA RELEASE
March 30, 2020

Ministry of Citizens’ Services relaxes restrictions on the use of third-party tools and applications to disclose personal information inside or outside of Canada

VANCOUVER, March 30, 2020 – In the time of a global emergency, the protection of privacy and access to information rights needs to be kept at the forefront of policy discussions rather than used as a trade-off for convenience.Ministerial Order (no. M085) from the Minister of Citizens’ Services has called for a relaxation of the Freedom of Information and Protection of Privacy Act (FIPPA)’s data residency provisions in the context of the COVID-19 pandemic.

In addition to allowing the various provincial health authorities to disclose personal information inside or outside of Canada in response to COVID-19, the Order has given public bodies approval to use third-party tools and applications to disclose personal information inside or outside of Canada so long as they are being used “to support and maintain the operation of programs or activities of public [bodies]” and “to support public health recommendations or requirements” such as social distancing, working from home, etc. The order has an end date of June 30th, 2020.

We are firmly committed to the requirements for local data storage contained within the Act, even in extraordinary times. BC FIPA acknowledges that we are facing unprecedented challenges arising from the need to respond swiftly and responsibly to the COVID-19 pandemic, but this cannot be done at the expense of data residency and broader privacy rights. The all-party special committee who reviewed the Act in 2016 recommended that the personal information of British Columbians be protected in accordance with Canadian law – storing or accessing said data outside of Canada could subject it to a lower standard of privacy protection.  

BC FIPA is continuing to monitor for instances where the privacy of BC citizens is being sacrificed during the COVID-19 pandemic. “We hoped the government had exercised due diligence and put appropriate and necessary overrides in place that were triggered with the declaration of an emergency. It appears they felt those measures were insufficient and they took further action” says Jason Woywada, BC FIPA’s executive director. “There needs to be consideration for the long-term impacts of personal information being disclosed to third parties that cross borders and the impact that creates. Privacy and data residency has been under attack for years by those who wish to profit from its erosion. Maintaining privacy and data residency requirements is a positive sum proposition and should always be considered.”

BC FIPA continues to call for a comprehensive overhaul of FIPPA that is informed by a deep and sincere commitment to updating and expanding the information and privacy rights of British Columbians.  

Contact: 
Jason Woywada, Executive Director 
BC Freedom of Information and Privacy Association 

– 30 –

Related Links: 

Order of the Minister of Citizens’ Services: Freedom of Information and Protection of Privacy Act: Ministerial Order No.M085 – March 17 
https://www2.gov.bc.ca/assets/gov/british-columbians-our-governments/services-policies-for-government/information-management-technology/information-privacy/resources/ministerial_order_085_respecting_disclosures_during_covid-19_emergency__march_2020_pdf.

Declaration of a state of emergency – March 18 
https://news.gov.bc.ca/releases/2020PSSG0017-000511

Decision of the OIPC Commissioner Michael McEvoy – March 18 
https://www.oipc.bc.ca/news-releases/2399

Report of the Special Committee to Review the Freedom of Information and Protection of Privacy Act 2016 
https://www.leg.bc.ca/content/CommitteeDocuments/40th-parliament/5th-session/foi/Report/SCFIPPA_Report_2016-05-11.pdf

Statement on Investigation Report into AggregateIQ

Privacy violations highlight the need for law reform

Earlier this week, the Office of the Privacy Commissioner of B.C. (OIPC BC) and the Office of the Privacy Commissioner of Canada (OPC) released a joint investigation report that found a B.C. company violated B.C.’s provincial and Canada’s federal privacy laws.

While conducting business on high-profile campaigns in the U.K., the U.S., and in Canada, the report states that AggregateIQ did not comply with the consent provisions in B.C.’s Personal Information Protection Act (PIPA) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and did not employ reasonable security safeguards.

The report makes two recommendations in order for the offending company to become compliant with Canadian privacy laws:

  • That they take measures to ensure that the consent that they have received to collect, use, and disclose personal information is in compliance with PIPA and PIPEDA;
  • And that they employ reasonable security safeguards to protect the personal information in their control.

The OIPC BC and the OPC will collect evidence from the company in approximately six months to confirm that the recommendations have been implemented and that the company is now compliant.

Fines are the international standard for privacy enforcement

This response highlights the need for Canadian regulatory bodies to have the power to issue fines when they find organizations to be in violation of Canadian law.

When asked why no fines were issued despite the investigation finding the company to have violated Canadian privacy laws, the Information and Privacy Commissioner for B.C., Michael McEvoy said: “There are no fines because we do not have the authority to levy fines.”

Absent amongst the international media attention that this report received, is the observation that Canada’s privacy regulators are powerless to enforce privacy laws through fines.

International regulators are using their fining powers to compel compliance to great effect. Examples include the Federal Trade Commission’s $5 billion civil penalty against Facebook, and the Information Commissioner Office (ICO) in U.K.’s intention to fine British Airways more than £183 million.

In fact, the ICO in the U.K. has a standing enforcement notice against AggregateIQ, threatening fines of up to 20 million Euros should the company not comply with their notice within 30 days of the conclusion of the joint OIPC and OPC investigation.

This leads one to wonder if AggregateIQ is implementing the recommendations of the OIPC BC and OPC out of good faith, or because they face the threat of significant fines from an international regulatory body.

Canadian regulators need fining power to protect privacy

“At the end of the day, privacy, and the legislation that governs it, needs to be brought into the 21st century where the realities of cross-boundary data sharing leave much to be coveted in terms of protections for personal information,” says Joyce Yan, BC FIPA’s Interim Executive Director.

“We have been a longtime advocate for increasing the Commissioners’ powers, but with the case of AggregateIQ, it has become clear that order-making powers (a tool the federal Privacy Commissioner still doesn’t have in his toolkit) is simply not enough. The provincial and federal privacy laws are antiquated, and we are falling behind our foreign counterparts.”

We strongly urge our fellow privacy advocates to join us as we continue to push for law reform that gives Canadian regulators the power necessary to protect privacy and compel compliance.

Federal Election 2019 Results: What does a Liberal minority government mean for ATI and privacy?

Previously, we compared access to information and privacy commitments in the platforms of four of Canada’s major federal political parties. Now, we’ll take a look at what we can expect from a Liberal minority government.

With the election results in, we now have greater clarity about how Canada will proceed with access to information and privacy in the years to come.

According to our ranking system, the Liberal Party made a total of six commitments out of a possible eleven, none of which were related to access to information. The only party to make more commitments was the Green Party.

Should the Liberal Party keep its commitments, we can expect the changes outlined below to privacy and data protection in Canada. These changes are part of something that the Liberal Party is calling Canada’s Digital Charter and were proposed before the election, in early 2019.

In an attempt to ensure equality, not all of the items contained within Canada’s Digital Charter were included within our ranking system. As noted below, some of these abilities theoretically already exist within Canada’s legislative framework.

The changes are the following:

In the coming months, we’ll publish articles that explain what each of these promises mean for Canadians and their privacy.

It should also be noted that Canada’s Digital Charter is based on consultations that took place between June and October of 2018. After FIPA was not invited to participate in any of the sixteen consultations, we filed an access to information request to learn who was in attendance.  

We learned that civil society organizations were significantly underrepresented in all the roundtable discussions, while input from the technology industry was overrepresented. On average, less than ten per cent of attendants were from civil society. In one case, representation from civil society was entirely absent.

Check back in on the news section of our website as we release the articles exploring the new rights that were promised by the Liberal Party during their 2019 campaign. This page will also be updated to include links to the articles as they become available.