NEWS RELEASE: Ministerial Order an exception to the rule

MEDIA RELEASE
March 30, 2020

Ministry of Citizens’ Services relaxes restrictions on the use of third-party tools and applications to disclose personal information inside or outside of Canada

VANCOUVER, March 30, 2020 – In the time of a global emergency, the protection of privacy and access to information rights needs to be kept at the forefront of policy discussions rather than used as a trade-off for convenience.Ministerial Order (no. M085) from the Minister of Citizens’ Services has called for a relaxation of the Freedom of Information and Protection of Privacy Act (FIPPA)’s data residency provisions in the context of the COVID-19 pandemic.

In addition to allowing the various provincial health authorities to disclose personal information inside or outside of Canada in response to COVID-19, the Order has given public bodies approval to use third-party tools and applications to disclose personal information inside or outside of Canada so long as they are being used “to support and maintain the operation of programs or activities of public [bodies]” and “to support public health recommendations or requirements” such as social distancing, working from home, etc. The order has an end date of June 30th, 2020.

We are firmly committed to the requirements for local data storage contained within the Act, even in extraordinary times. BC FIPA acknowledges that we are facing unprecedented challenges arising from the need to respond swiftly and responsibly to the COVID-19 pandemic, but this cannot be done at the expense of data residency and broader privacy rights. The all-party special committee who reviewed the Act in 2016 recommended that the personal information of British Columbians be protected in accordance with Canadian law – storing or accessing said data outside of Canada could subject it to a lower standard of privacy protection.  

BC FIPA is continuing to monitor for instances where the privacy of BC citizens is being sacrificed during the COVID-19 pandemic. “We hoped the government had exercised due diligence and put appropriate and necessary overrides in place that were triggered with the declaration of an emergency. It appears they felt those measures were insufficient and they took further action” says Jason Woywada, BC FIPA’s executive director. “There needs to be consideration for the long-term impacts of personal information being disclosed to third parties that cross borders and the impact that creates. Privacy and data residency has been under attack for years by those who wish to profit from its erosion. Maintaining privacy and data residency requirements is a positive sum proposition and should always be considered.”

BC FIPA continues to call for a comprehensive overhaul of FIPPA that is informed by a deep and sincere commitment to updating and expanding the information and privacy rights of British Columbians.  

Contact: 
Jason Woywada, Executive Director 
BC Freedom of Information and Privacy Association 

– 30 –

Related Links: 

Order of the Minister of Citizens’ Services: Freedom of Information and Protection of Privacy Act: Ministerial Order No.M085 – March 17 
https://www2.gov.bc.ca/assets/gov/british-columbians-our-governments/services-policies-for-government/information-management-technology/information-privacy/resources/ministerial_order_085_respecting_disclosures_during_covid-19_emergency__march_2020_pdf.

Declaration of a state of emergency – March 18 
https://news.gov.bc.ca/releases/2020PSSG0017-000511

Decision of the OIPC Commissioner Michael McEvoy – March 18 
https://www.oipc.bc.ca/news-releases/2399

Report of the Special Committee to Review the Freedom of Information and Protection of Privacy Act 2016 
https://www.leg.bc.ca/content/CommitteeDocuments/40th-parliament/5th-session/foi/Report/SCFIPPA_Report_2016-05-11.pdf

The Right to Erasure

The right to erasure

This is the third in our series on the privacy promises we can expect from a Liberal minority government.

Information about the Right to Erasure is from Innovation, Science and Economic Development Canada’s ‘Digital Charter: Trust in a digital world’, and the Liberal Party of Canada’s election 2019 platform document, ‘Forward: A real plan for the middle class’ (40).

The Promise

In the Liberal Party’s election platform, they committed to a new online right to “withdraw, remove, and erase basic personal data from a platform” (40). This seems to build and expand upon the third principle contained within Canada’s Digital Charter:

Control and Consent: Canadians will have control over what data they are sharing, who is using their personal data and for what purposes, and know that their privacy is protected.”

– Canada’s Digital Charter

Unclear within this promise are two major things: what is defined as a platform; and how this new right will be different from what is currently contained within Canada’s private sector privacy legislation, the Personal Information and Protection of Electronic Documents Act.

And, on the surface, it would appear that this new right does not go as far as the European Union’s ‘Right to be Forgotten’, which is found within the General Data Protection Regulations, and allows citizens to request that personal data be erased for a host of reasons and from entities not limited to “platforms”. Notably, this includes making requests to delist website pages in search results.

The Office of the Privacy Commissioner of Canada is currently seeking a determination from the Federal Court in order to clarify whether Google’s search engine is subject to PIPEDA. Thus, it may turn out that Canadians already have the ability to request that search engine’s de-index web pages that are responsive to a person’s name should they present unwarranted reputational harm.

The Reality

So far it’s unclear how this new right to erasure goes further than the access and correction rights that currently exist within Canada’s federal privacy legislation, the Privacy Act and PIPEDA, and B.C.’s provincial privacy legislation, FIPPA and PIPA.

Currently, PIPEDA does provide Canadians with some measure of control over their personal information. It does this by allowing individuals to correct the accuracy of their personal information in the control of a private organization, to withdraw their consent for the use of personal information, and to file a complaint with the Office of the Privacy Commissioner of Canada in order to create a record of dispute.

While these are not equivalent measures to the European Union’s ‘Right to be Forgotten’, they do allow Canadians some measure of control over their personal information and at the very least present a mechanism for addressing issues related to online reputational harm. In addition, PIPEDA also contains provisions that limit the amount of time that personal information can be retained, which in turn helps to ensure that personal information is disposed of when it is no longer required.

The Future

Important questions remain though about how effective these measures are in a digital environment. PIPEDA was created in 2000, as the internet and digital technologies were only emerging. Today, the internet is being used in ways, and on devices, that could not have been predicted 20 years ago.

With private organizations becoming increasingly reliant on personal information as a fundamental component of their business model, and the storage of personal information no longer experiencing the same physical and financial constraints, more needs to be done to protect consumers and to rebuild trust.

If Canada’s federal privacy legislation is amended to contain this new right to erasure, it may create the need to amend provincial privacy legislation to also include this new right in order to retain its equivalency. As well, new powers will need to be ascribed to provincial and federal information and privacy commissioners in order for them to be able to enforce new digital rights, like the Right to Erasure.

The Right to Data Portability

This is the second in our series on the privacy promises we can expect from a Liberal minority government.

From Innovation, Science and Economic Development Canada’s ‘Digital Charter: Trust in a digital world’, and the Liberal Party of Canada’s election 2019 platform document, ‘Forward: A real plan for the middle class’ (40).

In Canada’s Digital Charter, data portability fits within the fourth principle:

‘Transparency, Portability and Interoperability: Canadians will have clear and manageable access to their personal data and should be free to share or transfer it without undue burden.’

Clear and manageable access

Theoretically, Canadians already have “clear and manageable access” to their personal data.

For federal government institutions, Canadians have a right of access contained within section 12 of the Privacy Act. For private sector businesses, Canadians can submit requests to access personal information under the Personal Information Protection and Electronic Documents Act (PIPEDA).

In British Columbia, access to personal information held by provincial public bodies is realized through section 5 of the Freedom of Information and Protection of Privacy Act (FIPPA). For private businesses within the province, section 23 of the Personal Information Protection Act (PIPA) gives residents this ability.

In theory, the information rights enshrined within these four Acts already gives Canadians “clear and manageable access to personal data”. What’s new then is the ability to “share or transfer it without undue burden.”

What this means, exactly, is not quite as clear.

Sharing and transferring data without undue burden

In their 2019 election platform, the Liberal Party describes data portability as the ability for people to “take their data from platform to platform” (40).

From this, we might assume that someone would have the right to extract all of their data from a platform like Facebook, Twitter, or Snapchat, and transfer it to a new platform that offers a similar service.

Why would someone want to do this? One reason might be that an alternative service provider offers greater privacy protections, which in turn would create greater competition among monopolistic platforms.

This also gives Canadians the opportunity to make meaningful choices about how they share their personal information with platforms.

International models

In the European Union, Article 20 of the General Data Protection Regulations (GDPR) gives residents a right to data portability. This right allows data subjects to receive personal data about themselves from data controllers and transmit that data to other controllers.

The GDPR also ensures that the data is provided “in a structured, commonly used and machine-readable format” and provides the right to have the personal data transmitted directly from one data controller to another.

A major difference between the European Union’s GDPR and Canada’s PIPEDA is that Canada’s private sector privacy legislation frames privacy as data protection and not as a fundamental human right.

What does a humans rights based approach to privacy look like in legislation? Article 4 of the GDPR lists the fundamental rights the Regulation respects, which include:

“[T]he respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and a fair trial, and cultural, religious and linguistic diversity.’

The proposed right to data portability is a significant step towards creating a human rights based approach to privacy in Canada. While it is not as comprehensive as the GDPR, it will give individuals greater autonomy in their ability to control their own personal data.

LifeLabs breach highlights data protection crisis in Canada

Vancouver, December 18, 2019 –  Yesterday, LifeLabs announced a data breach that affects 15 million Canadians. The breach, which primarily impacts clients in BC and Ontario, includes highly sensitive personal information, like medical diagnostic test results and genetic information.

The information was breached on October 28, 2019. LifeLabs has paid an unreported sum to cybercriminals for the return of the data, but it is unknown if copies of the data were made by the cybercriminals. LifeLabs is offering one year of cyber protection monitoring and security insurance to its customers.

This latest breach means that, in a period of just one year, every Canadian has likely been the victim of a data breach or knows someone who has.

According to figures released by the Office of the Privacy Commissioner of Canada, 28 million Canadians have been the subject of a data breach since November 1, 2018. With an additional 15 million Canadians impacted by the LifeLabs breach, that means there were more than 43 million incidents between November 2018 and November 2019.

This situation represents a crisis for privacy and data protection in Canada.

“Canadian privacy laws, both federal and provincial, are simply inadequate,” says Joyce Yan, FIPA’s Interim Executive Director. “They do not and will not protect Canadians from the potential harms that come from our increasingly digital world. Urgent law reform is needed. Every privacy commissioner in Canada needs to have investigatory, order-making, and fining power. Data breaches must be reported to them immediately.”

While breach notification became mandatory at the federal scale last year, it is still not a requirement provincially. As well, it is not required that companies notify individuals when their data has been breached. Public bodies are not required to report breaches at all.

“Private companies must face repercussions for negligent data handling practices,” says Yan. “These should include financial penalties for the company, financial penalties for individuals at the company, possible charges of criminal negligence, and financial compensation for those impacted.”

During an interview, LifeLabs CEO Charles Brown stated that he did not know if the data that was breached was even encrypted.

“This is an unacceptable and irresponsible position for leadership to hold. The head of a company that is entrusted with processing data that relates to the intimate aspects of our lives—our health, wellness, and biology—must be informed about the security measures taken to protect that information,” says Yan.

The Information and Privacy Commissioners for Ontario and BC are investigating the breach and will release a report at that investigation’s conclusion.

Contact:

Joyce Yan, Interim Executive Director

BC Freedom of Information and Privacy Association

Email: fipa (at) fipa.bc.ca

Phone:  604-739-9788

-30-