On October 20, 2021 the government of the province of British Columbia (BC) in Canada introduced proposed amendments to the BC Freedom of Information and Protection of Privacy Act (FIPPA), which governs data collection and use by public bodies in the province. The amendments found in Bill 22 range from relatively minor grammatical changes to more substantive changes summarized below, as well as consequential amendments to various acts including the E-Health (Personal Health Information Access and Protection of Privacy) Act, Income Tax Act and the Secure Care Act.

Likely the most material proposed amendment relates to FIPPA's data residency provisions where personal information is required to be maintained in Canada and not accessible from outside of Canada except under specific circumstances. Bill 22 contemplates the repeal of FIPPA's existing section 33.1 with a section that permits a public body to disclose personal information outside of Canada only if the disclosure is in accordance with associated regulations. The government has not provided any proposed regulations, but has indicated their intention to bring BC into line with other jurisdictions and facilitate increased use of digital tools. These changes expand the possibility for British Columbia's public sector organizations to utilize services and products that process and store data outside of Canada. The government has highlighted these as important changes necessary to modernize the legislation and allow the public sector to access digital tools and technologies for the benefit of British Columbians.

Reaction to the proposed amendments was swift and mixed. In an October 20, 2021, letter the Information and Privacy Commissioner of British Columbia raised concerns about the removal of the data-residency requirement and leaving the specifics to the regulations. The Commissioner expressed concern both about content of the "as yet unknown" regulations, and noted that until regulations are in place, there are no protections for personal information disclosed outside of Canada.

The ultimate effect of the proposed changes to the data-residency requirement remains unknown at this time. The regulations, which have not yet been made publicly available, will provide the substantive guidance and limitations for disclosure outside of Canada. Amongst other things, those regulations could include requirements for mandatory assessment before exporting personal information and mandatory security principles.

Other notable proposed amendments to FIPPA include:

  • adding a disclosure exemption where the disclosure could reasonably be expected to harm the rights of an Indigenous people;
  • adding new offences for breaches, including "snooping" offences;
  • introducing a fee for non-personal Freedom of Information requests;
  • expanding duties for public bodies to maintain privacy management programs; and
  • the addition of a mandatory privacy breach notification obligation where the breach could reasonably be expected to result in significant harm to the impacted individual. This amendment is consistent with similar provisions found in the federal private sector privacy legislation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.