Discussion over Canada's cross-border data flows is back in the news this week. Specifically, whether personal health information needs to stay within certain borders.
Ontario's government seems to have made it a policy that physicians using third-party service providers must force those providers to access and store personal information only in Canada. If they use, for example, a U.S. cloud-service provider for virtual care, they risk not getting their Ontario Health Insurance Plan payment.
To be clear, this is not a legal requirement, but a policy. But a policy that has real consequences as it affects a health care provider's ability to get paid.
Seeing as this policy is not supported by the law — and in fact may contravene the trade laws between Canada and the U.S. — one brave U.S. company has filed a lawsuit seeking to have that policy quashed.
This scenario made me think back to July 2021, when Ontario's Office of the Information and Privacy Commissioner released an important decision regarding whether a school board, subject to one of the province's public sector laws, could use Google as a third-party contractor to provide students with educational tools. The complainant argued that by engaging with Google, students' personal information would be transferred outside the country, exposing it to the eyes of U.S. law enforcement.
The IPC rejected the complainant's argument and reiterated a test the office had used in past cases. That test is similar to the one used under the Personal Information Protection and Electronic Documents Act analysis. That is, if you are transferring personal information outside the country, two things must happen: 1. You provide notice; and 2. You protect the information through contractual mechanisms so that the personal information is adequately protected against misuse no matter what jurisdiction it ends up in.
The school board's use of the Google's tools was not in violation of any privacy law or policy.
If you've read my thinking on this topic in the past, you'll know that I'm not a fan of data localization laws. I don't think they work at really protecting personal information, they are very expensive to deal with, they drive up costs and they are very inefficient. Case in point is the fact that British Columbia repealed their data localization requirements a few years ago, post-COVID-19 pandemic. It simply didn't work.
I hope the Ontario government voluntarily reverses its decision and instead imposes a policy on health care providers to play by the same rules of notice and protections through contractual mechanisms.
In today's interconnected world, we need practical and effective choices — not expensive policies that don't result in greater privacy protections.