NEWS RELEASE: Ministerial Order an exception to the rule

MEDIA RELEASE
March 30, 2020

Ministry of Citizens’ Services relaxes restrictions on the use of third-party tools and applications to disclose personal information inside or outside of Canada

VANCOUVER, March 30, 2020 – In the time of a global emergency, the protection of privacy and access to information rights needs to be kept at the forefront of policy discussions rather than used as a trade-off for convenience.Ministerial Order (no. M085) from the Minister of Citizens’ Services has called for a relaxation of the Freedom of Information and Protection of Privacy Act (FIPPA)’s data residency provisions in the context of the COVID-19 pandemic.

In addition to allowing the various provincial health authorities to disclose personal information inside or outside of Canada in response to COVID-19, the Order has given public bodies approval to use third-party tools and applications to disclose personal information inside or outside of Canada so long as they are being used “to support and maintain the operation of programs or activities of public [bodies]” and “to support public health recommendations or requirements” such as social distancing, working from home, etc. The order has an end date of June 30th, 2020.

We are firmly committed to the requirements for local data storage contained within the Act, even in extraordinary times. BC FIPA acknowledges that we are facing unprecedented challenges arising from the need to respond swiftly and responsibly to the COVID-19 pandemic, but this cannot be done at the expense of data residency and broader privacy rights. The all-party special committee who reviewed the Act in 2016 recommended that the personal information of British Columbians be protected in accordance with Canadian law – storing or accessing said data outside of Canada could subject it to a lower standard of privacy protection.  

BC FIPA is continuing to monitor for instances where the privacy of BC citizens is being sacrificed during the COVID-19 pandemic. “We hoped the government had exercised due diligence and put appropriate and necessary overrides in place that were triggered with the declaration of an emergency. It appears they felt those measures were insufficient and they took further action” says Jason Woywada, BC FIPA’s executive director. “There needs to be consideration for the long-term impacts of personal information being disclosed to third parties that cross borders and the impact that creates. Privacy and data residency has been under attack for years by those who wish to profit from its erosion. Maintaining privacy and data residency requirements is a positive sum proposition and should always be considered.”

BC FIPA continues to call for a comprehensive overhaul of FIPPA that is informed by a deep and sincere commitment to updating and expanding the information and privacy rights of British Columbians.  

Contact: 
Jason Woywada, Executive Director 
BC Freedom of Information and Privacy Association 

– 30 –

Related Links: 

Order of the Minister of Citizens’ Services: Freedom of Information and Protection of Privacy Act: Ministerial Order No.M085 – March 17 
https://www2.gov.bc.ca/assets/gov/british-columbians-our-governments/services-policies-for-government/information-management-technology/information-privacy/resources/ministerial_order_085_respecting_disclosures_during_covid-19_emergency__march_2020_pdf.

Declaration of a state of emergency – March 18 
https://news.gov.bc.ca/releases/2020PSSG0017-000511

Decision of the OIPC Commissioner Michael McEvoy – March 18 
https://www.oipc.bc.ca/news-releases/2399

Report of the Special Committee to Review the Freedom of Information and Protection of Privacy Act 2016 
https://www.leg.bc.ca/content/CommitteeDocuments/40th-parliament/5th-session/foi/Report/SCFIPPA_Report_2016-05-11.pdf

The Right to Data Portability

This is the second in our series on the privacy promises we can expect from a Liberal minority government.

From Innovation, Science and Economic Development Canada’s ‘Digital Charter: Trust in a digital world’, and the Liberal Party of Canada’s election 2019 platform document, ‘Forward: A real plan for the middle class’ (40).

In Canada’s Digital Charter, data portability fits within the fourth principle:

‘Transparency, Portability and Interoperability: Canadians will have clear and manageable access to their personal data and should be free to share or transfer it without undue burden.’

Clear and manageable access

Theoretically, Canadians already have “clear and manageable access” to their personal data.

For federal government institutions, Canadians have a right of access contained within section 12 of the Privacy Act. For private sector businesses, Canadians can submit requests to access personal information under the Personal Information Protection and Electronic Documents Act (PIPEDA).

In British Columbia, access to personal information held by provincial public bodies is realized through section 5 of the Freedom of Information and Protection of Privacy Act (FIPPA). For private businesses within the province, section 23 of the Personal Information Protection Act (PIPA) gives residents this ability.

In theory, the information rights enshrined within these four Acts already gives Canadians “clear and manageable access to personal data”. What’s new then is the ability to “share or transfer it without undue burden.”

What this means, exactly, is not quite as clear.

Sharing and transferring data without undue burden

In their 2019 election platform, the Liberal Party describes data portability as the ability for people to “take their data from platform to platform” (40).

From this, we might assume that someone would have the right to extract all of their data from a platform like Facebook, Twitter, or Snapchat, and transfer it to a new platform that offers a similar service.

Why would someone want to do this? One reason might be that an alternative service provider offers greater privacy protections, which in turn would create greater competition among monopolistic platforms.

This also gives Canadians the opportunity to make meaningful choices about how they share their personal information with platforms.

International models

In the European Union, Article 20 of the General Data Protection Regulations (GDPR) gives residents a right to data portability. This right allows data subjects to receive personal data about themselves from data controllers and transmit that data to other controllers.

The GDPR also ensures that the data is provided “in a structured, commonly used and machine-readable format” and provides the right to have the personal data transmitted directly from one data controller to another.

A major difference between the European Union’s GDPR and Canada’s PIPEDA is that Canada’s private sector privacy legislation frames privacy as data protection and not as a fundamental human right.

What does a humans rights based approach to privacy look like in legislation? Article 4 of the GDPR lists the fundamental rights the Regulation respects, which include:

“[T]he respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and a fair trial, and cultural, religious and linguistic diversity.’

The proposed right to data portability is a significant step towards creating a human rights based approach to privacy in Canada. While it is not as comprehensive as the GDPR, it will give individuals greater autonomy in their ability to control their own personal data.

Federal Election 2019 Results: What does a Liberal minority government mean for ATI and privacy?

Previously, we compared access to information and privacy commitments in the platforms of four of Canada’s major federal political parties. Now, we’ll take a look at what we can expect from a Liberal minority government.

With the election results in, we now have greater clarity about how Canada will proceed with access to information and privacy in the years to come.

According to our ranking system, the Liberal Party made a total of six commitments out of a possible eleven, none of which were related to access to information. The only party to make more commitments was the Green Party.

Should the Liberal Party keep its commitments, we can expect the changes outlined below to privacy and data protection in Canada. These changes are part of something that the Liberal Party is calling Canada’s Digital Charter and were proposed before the election, in early 2019.

In an attempt to ensure equality, not all of the items contained within Canada’s Digital Charter were included within our ranking system. As noted below, some of these abilities theoretically already exist within Canada’s legislative framework.

The changes are the following:

In the coming months, we’ll publish articles that explain what each of these promises mean for Canadians and their privacy.

It should also be noted that Canada’s Digital Charter is based on consultations that took place between June and October of 2018. After FIPA was not invited to participate in any of the sixteen consultations, we filed an access to information request to learn who was in attendance.  

We learned that civil society organizations were significantly underrepresented in all the roundtable discussions, while input from the technology industry was overrepresented. On average, less than ten per cent of attendants were from civil society. In one case, representation from civil society was entirely absent.

Check back in on the news section of our website as we release the articles exploring the new rights that were promised by the Liberal Party during their 2019 campaign. This page will also be updated to include links to the articles as they become available.

Election 2019: Comparing Party Platforms

How Canada’s major federal political parties compare on issues related to privacy and access to information

The table below uses publicly available information contained within the platforms of Canada’s four major political parties: the Liberal Party, the Conservative Party, the New Democratic Party, and the Green Party.

FIPA is a non-partisan organization and this chart is only intended to be an easily accessible guide on how the parties are addressing issues related to privacy and access to information. It is not an endorsement of any particular party.

For more information about the specific statements issued by each party leading to these determinations, please see the information below the chart.

 Liberal PartyConservative PartyNew Democratic PartyGreen Party
Totals6329
Increase the powers of the Privacy Commissioner of CanadaYesUnclearYesYes
Increase the powers of the Information Commissioner of CanadaNothing stated Nothing statedNothing statedYes
Improve Access to InformationNothing statedNothing statedNothing statedYes
Ensure Political Parties fall under Canada's federal privacy legislation Nothing stated Nothing statedNothing stated Yes
Mandatory breach notifications YesUnclearNothing statedYes
Give citizens the ability to erase basic personal information from platforms YesUnclearNothing statedYes
Give citizens data portability YesNothing statedNothing stated Yes
Create stronger cyberbullying protectionsYesYesYesNothing stated
Create mandatory plain language consent agreementsNothing statedYesNothing stated Nothing stated
Give citizens ability to review and challenge amount of personal information being collected by governmentYesNoNothing stated Yes
Create regulations related to Artificial IntelligenceNothing stated YesNothing statedYes

Each of these determinations are based on the platform documents released by the major four political parties in 2019:

Liberal Party of Canada Platform 2019

Conservative Party of Canada Platform 2019

New Democratic Party of Canada Platform 2019

Green Party of Canada Platform 2019

Below are the quotes and page numbers where each of these determinations can be corroborated.

We encourage all political parties to provide us with additional details about their commitments, or to provide us with clarification on their positions, by writing to us (fipa@fipa.bc.ca).

Increase the powers of the Privacy Commissioner of Canada

Liberal Party: Yes. Included in Canada’s Digital Charter (40-41).

Conservative Party: Unclear. “We will employ sensible regulation, rigorous standards, and strong oversight over the personal information, data, and privacy of Canadians” (74).

New Democratic Party: Yes. The “New Democrats will work to strengthen privacy protections for Canadians by boosting the power of the Privacy Commissioner to make and enforce orders” (102).

Green Party: Yes. “Significantly increase the powers of the Privacy Commissioner, in particular to protect identity and personal data, and to enforce privacy laws” (75).

Increase the powers of the Information Commissioner of Canada

Liberal Party: Nothing stated.

Conservative Party: Nothing stated.

New Democratic Party: Nothing stated.

Green Party: Yes. Will “[s]trengthen the role and protect the independence of parliamentary officers including … the Information Commissioner” (73). They will also “[a]uthorize the Information Commissioner to order the release of information” (74)

Improve Access to Information

Liberal Party: Nothing stated.

Conservative Party: Nothing stated.

New Democratic Party: Nothing stated.

Green Party: Yes. They will do this by: removing all fees except filing fee; creating enforceable deadlines; put parliament, the PMO’s office, and all minister’s offices, within scope of ATI; ensure public interest comes before secrecy; allow Information Commissioner to review and determine if cabinet confidence applies; create a duty to document regarding ATI decisions (74).

Ensure Political Parties fall under Canada’s federal privacy legislation

Liberal Party: Nothing stated.

Conservative Party: Nothing stated.

New Democratic Party: Nothing stated.

Green Party: Yes. “Require political parties to follow the Privacy Act, without exceptions” (75).

Mandatory breach notifications

Liberal Party: Yes. Included in Canada’s Digital Charter. Also includes compensation (40-41).

Conservative Party: Unclear. Will establish “binding cyber security standards for critical infrastructure sectors and penalties for non-compliance” to protect Canadians from “largescale data breaches” (75).

New Democratic Party: Nothing stated.

Green Party: Yes. Will “[c]reate mandatory data breach reporting for all government departments, companies, banks and political parties” (75).

Give citizens the ability to erase basic personal information from platforms

Liberal Party: Yes. Included in Canada’s Digital Charter (40-41).

Conservative Party: Unclear. “We will employ sensible regulation, rigorous standards, and strong oversight over the personal information, data, and privacy of Canadians” (74).

New Democratic Party: Nothing stated.

Green Party: Yes. “Require companies to … to delete personal information from company databases when requested by that person. Individuals would have the ‘right to be forgotten.’” (75).

Give citizens data portability

Liberal Party: Yes. Included in Canada’s Digital Charter (40-41).

Conservative Party: Nothing stated.

New Democratic Party: Nothing stated.

Green Party: Yes. “Require companies to grant access to all information they hold on an individual” (75).

Create stronger cyberbullying protections

Liberal Party: Yes. Included in Canada’s Digital Charter (40-41) Will also “move forward with new regulations for social media platforms, starting with a requirement that all platforms remove illegal content, including hate speech, within 24 hours or face significant financial penalties. This will also include other online harms, such as radicalization, incitement to violence, exploitation of children, or creation or distribution of terrorist propaganda. Because hate speech continues to harm people offline as well, we will also look at options for civil remedies for victims of hate speech” (47-48).

Conservative Party: Yes. Will introduce the Cyberbullying Accountability Act, legislation that “prohibits the use of a phone or the internet to threaten or advocate self-harm”, create civil liability so that “the parents, guardians, or account holders of cyberbullies can be held liable” (74).

New Democratic Party: Yes. Will convene a “national working group to counter online hate and protect public safety, and make sure that social media platforms are responsible for remove [sic] hateful and extremist content before it can do harm” (96).

Green Party: Nothing stated.

Create mandatory plain language consent agreements

Liberal Party: Nothing stated.

Conservative Party: Yes. Will also only allow “data that is necessary to provide the service” to be collected (74).

New Democratic Party: Nothing stated.

Green Party: Nothing stated.

Give citizens ability to review and challenge amount of personal information being collected by government

Liberal Party: Yes. Included in Canada’s Digital Charter (40-41).

Conservative Party: No. Will increase funding to police infrastructure: “To better support local law enforcement, a new Conservative government will commit $30 million over five years to purchase new equipment. This would benefit mid-sized communities the most, since they do not have the same budget as larger police programs to access technology. We will create a grant program so that our law enforcement has access to every tool and technology available. This will empower law enforcement to keep our communities and neighbourhoods safe” (64).

New Democratic Party: Nothing stated.

Green Party: Yes. “Change the law to require the Communications Security Establishment and CSIS to get a warrant before intruding on Canadians’ communications”; “Prohibit the routine surveillance of Canadians who protest against the government and the sharing of protesters and NGO staff information with the National Energy Board, and others”; and “Prohibit cyber surveillance and bulk collection of data by intelligence and police agencies” (75).

Create regulations related to Artificial Intelligence

Liberal Party: Nothing stated.

Conservative Party: Yes. Will establish “regulatory standards for ethical and secure use” of Artificial Intelligence (74).

New Democratic Party: Nothing stated.

Green Party: Yes. Will create parliamentary committee to examine issues that include Artificial Intelligence (46).