I’m halfway through teaching a group of approximately 40 students who are studying for the CIPP/C exam. We use the chat function on our video platform to field questions and comments and, so far, the discussions have been very good.
One topic that has come up a few times is data localization requirements. One province that currently has a pretty strict and complicated data localization requirements is British Columbia, which surprises some people. It’s contained in their public sector law and does not apply to the private sector, although it can raise challenges when the public sector outsources.
This week, to get on the law reform bandwagon, the British Columbia government introduced legislation that will, if passed, amend the law in a few ways that are worth checking out. I was pretty surprised to see they are proposing to completely repeal their data localization requirement.
I think this is ultimately a good thing. The way it is currently drafted, the law is confusing, complex and, in my opinion, doesn’t really work in the real world. It is nearly impossible to completely comply with and I think it ultimately only adds to the costs associated with implementing new programs. I also think it is inconsistent with the new NAFTA.
As you’ll see in the article we summarize below, Michael McEvoy, the information and privacy commissioner for B.C., is challenging the way his government has gone about this change. In his public statement reacting to the changes, he states: “What is exceedingly troubling, however, is that government now proposes to allow public bodies to send British Columbians’ personal information outside Canada without explaining how they will properly protect it. Without concrete alternative protections for people’s data, the government is effectively asking the Legislative Assembly for a blank check to eliminate the current restrictions on public bodies accessing and storing people’s personal information outside of Canada.”
Hopefully, there’s a solution to be had here. B.C.’s data localization has been an anomaly and somewhat of a pain, but I agree that you should have to safeguard information wherever it might be. I think you can allow public bodies in the province to operate in a globally connected world and, at the same time, ensure they do so while properly protecting the personal information under their control.
We’ll see how this plays out in the coming weeks as the bill gets studied. The OIPC has indicated it will come out with a more fulsome analysis in the next few days. I’ll be reading it carefully.