On 25 November, 2021, the Government of British Columbia (BC) passed Bill 22, Freedom of Information and Protection of Privacy Amendment Act, 2021, which amends BC’s public sector privacy law the Freedom of Information and Protection of Privacy Act (FIPPA), and entered into effect immediately. While supportive of many of the updates, the BC Information and Privacy Commissioner (BC OIPC) has viewed certain provisions of the Bill as taking a "step backwards" in relation to privacy protection.
While the Bill amends the public sector privacy law in the province, the changes have the potential to impact private-sector entities acting as service providers to public bodies. The Bill expands the scope of FIPPA (Part 3 - Protection of Privacy) to apply to all employees and associates of the service providers.
Cross Border Data Flows
A major update, and one causing concern with the BC OIPC, is the removal of the data residency requirement which previously required personal information to be stored and accessed only in Canada, including personal information held by service providers. While the idea of updating this requirement is not in and of itself an issue, the main concern with this update from a privacy perspective is that this removal appears to come with no guaranteed protections for personal information transferred outside of Canada. As indicated in the Bill, any requirements relating to the disclosure of personal information outside of Canada will be found in regulations, if any, made by the responsible minister.
Detailed Privacy Offences
The Bill also adds a new provision, Section 65.4 which details privacy offences under FIPPA. This includes offences for service providers who collect, use, or disclose personal information, or who fail to notify the head of a public body of an authorized disclosure in contravention of Part 3 of FIPPA. This also applies to service providers who dismiss, suspend, demote, discipline, harass or otherwise disadvantage an employee, or deny the employee a benefit in relation to anything the employee has done, or the employer believes that the employee will do as described under Section 30.3 (Whistle-blower protection) of FIPPA. Though the addition of these "snooping offences" is welcomed by the BC OIPC, there is concern that the list of offences under the Bill does not include "viewing of", or "access to" personal information.
Penalties for offences have also been substantially increased. Under the Bill, service providers who wilfully mislead, obstruct or fail to comply with the Commissioner can be fined upwards of $50,000 in the case of a partnership or individual, and $500,000 in the case of a corporation.
Service providers should ensure they are aware of the possible impact of public sector privacy laws when entering into service agreements with public bodies as part of their due diligence.
Starting with positive aspects of the proposals, I welcome the new requirements relating to privacy impact assessments, the new privacy breach notification rules, and the duty for public bodies to have privacy management programs. The inclusion of snooping offences is also a positive step. These and other constructive changes to FIPPA, discussed below, represent the most extensive amendments since 2011. They will help ensure British Columbia keeps pace with other jurisdictions across Canada and globally. […] however, other proposals would be a step backward for British Columbia.