This is the third post in a blog series that questions the risks that we’re willing to assume and examines the hazards that are present in the current information technology landscape. Although it’s never a one-size-fits-all situation, British Columbia’s current legal framework has a specific provision that affects everyone in the province. You can read the first post, here, and the second, here.
We’ve heard the arguments for amending the section BC’s Freedom of Information and Protection of Privacy act that states that all personal information must reside on Canadian soil. Now we’ll explore some of the reasons why this section shouldn’t be changed.
The emerging need for data sovereignty
When the act was passed into law in the early 1990s, concerns over personal information flowing into the United States were mostly speculative. Section 30.1, at that point, was a protective measure against a possible foreign government that didn’t respect privacy.
The act goes under review quite regularly. Although the recommendations the special committees present to government are non-binding, they’ve consistently seen the importance in keeping section 30.1 in the act.
And, in the 20 plus years since the act was passed, we’ve seen vast changes in technology that have unimaginably increased the amount of data that we create about ourselves. We’ve also entered an epoch where governments invade personal privacy in the name of national security.
As technology rapidly advances and political rhetoric distorts national and international values, 30.1 has become one measure that, in theory, protects the privacy of millions of people living in British Columbia. But as we’ve seen in the last post, it does so at a cost.
I spoke with Mike Larsen, the president of BC’s Freedom of Information and Privacy Association, and Vincent Gogolek, its executive director, to get a better sense of what might happen if that section of the act were to be changed.
What would be the impact of amending 30.1?
When it comes to Mr. Hancock’s argument about the need to access cloud computing services, Mr. Larsen said that the advantages are not entirely clear to him—noting that amending the act would remove the incentive to create servers in Canada.
Mr. Gogolek added that, because of a demand in the private sector, Google has recently opened server farms in Canada. If 30.1 were amended, there wouldn’t be a market for creating this kind of infrastructure in Canada for the public sector.
When it comes to the ‘illusion of consent,’ both Mr. Larsen and Gogolek said that has historically been the work-around for public institutions; they’re able to circumnavigate 30.1 by asking for permission without being able to offer a reasonable alternative.
Just like with QLess, the automated que system at UBC that sends personal information into the U.S. and originally prompted my interest in section 30.1, public bodies are not effectively able to offer reasonable alternatives.
Does sitting in Brock Hall for 45 minutes and waiting for your name to be called seem equivalent to being able to leave and receiving a text message when your turn has arrived?
Likewise, if UBC and the other research universities began sending the personal information of students into the U.S. or elsewhere, is it reasonable to expect them to enrol at other universities?
“You don’t have a choice,” said Mr. Gogolek, “You don’t get to go to UVIC, or deal with a different ministry of finance, or health ministry.”
So right now, in order to bypass 30.1, there has to be, at the very least, the illusion of consent. But if the proposed amendment was made, that would be gone. And our personal information could be fed directly into “the big NSA suck hole in Utah,” said Mr. Gogolek.
What effect will this have on students?
“We know what will happen in terms of the Patriot Act,” Mr. Gogolek said. “Something in your American politics paper gets sent down there and suddenly you can’t get into the United States.”
The politics of privacy
Although there was a statutory review of FIPPA in 2015, when people, including Mr. Hancock, came and presented on both sides of 30.1, the government has yet to make a determination on the issue. The government is also currently without a privacy commissioner and a new, coalition government is entering office.
And now, with the NDP and Green party in power, the future of section 30.1 remains unclear. Prior to the election, FIPA asked each party about their respective privacy policies. Here’s what the NDP and Green parties had to say:
“A BC NDP government will defend the privacy of British Columbians against any move by the Trump administration to undermine these rights and will maintain BC’s requirement that government and other public sector data be stored in Canada. Recent steps in Congress to weaken U.S. privacy provisions only reinforces the need for BC to remain firm.” – NDP
“With numerous data breaches in the last 4 years, it is clear that BC must re-examine the legislation that governs the data storage requirements it uses for housing private personal information. Beyond international trade, BC needs to update its policies and practices to catch up to and increasingly digitized world. A robust review of data policy would take place with a mandate to find and implement needed reforms.” – Green
And with the election of President Trump in the United States, Mr. Hancock said that “the amendments to 30.1 are very unlikely. There’s a lot of concern about data sovereignty. For whatever government that takes power. It is difficult for any government to justify what may be seen as weakening protections in privacy law.”
But, when it comes to section 30.1, the future is uncertain. And that means that the future of data storage and privacy in British Columbia remains unclear.
People said…