The information provided is for general information purposes and does not, and is not intended to, constitute legal advice. Readers should contact their legal representative for legal advice.
Recent amendments to B.C.’s Information Act could significantly change how the province’s public sector adopts cloud technology.
The Freedom of Information and Protection of Privacy Act (FIPPA) is a set of regulations governing how data can be processed, stored and disclosed by B.C.’s public sector. One of the regulations placed was a ban on cross border information flow. This ban has made B.C.’s public sector wary of using cloud services, limiting the tools they need to improve and scale their operations.
But on Oct. 31, 2019, the province legislated amendments to FIPPA. The amendments, outlined in Bill 35, have left IT professionals scratching their heads about what the changes could mean for public sector data residency.
What are the Experts Saying?
Experts are divided on what the new changes mean for B.C.’s public sector, cloud technology and privacy.
The Canadian Bar Association
The Canadian Bar Association (CBA) has welcomed the new changes, noting that cloud applications are becoming “increasingly prevalent and necessary” for effective public sector operations.
In the past, the CBA has recommended looser restrictions on what data can be transported and stored internationally. They have argued that the restrictions outlined by FIPPA were not practical and reduced B.C.’s public sector’s access to cloud solutions.
The Association believes that Bill 35 broadens the scope of information that can be sent internationally because it outlines more situations where accessing and disclosing data outside Canada are allowed. With these changes implemented, the CBA believes that B.C.’s public sector will have an increased ability to adopt the cloud while achieving data residency requirements.
The Office of the Information and Privacy Commissioner for B.C.
B.C. Privacy Commissioner, Michael McEvoy, is not as warm to the changes as the CBA is. While he notes that these changes will make cloud adoption easier for the public sector, McEvoy argues that Bill 35’s changes are broader than necessary and could weaken privacy protections.
McEvoy has proposed a series of edits to Bill 35 to address some of the issues that he believed were problematic. Only one of his suggestions, putting a specific time limit on how long metadata can be stored outside Canada, was included in the final version of the bill.
What We Think the Changes Could Mean?
It’s too soon to tell whether these changes will have a significant impact on public sector cloud adoption in B.C., but from our perspective the changes are promising. We are particularly enthusiastic about amendments regarding metadata: “A public body may disclose personal information …inside or outside Canada…if the information is metadata.”
What is Metadata?
Metadata is data about other data. Data that is recorded by a cash register when a barcode is scanned or when movie tickets are redeemed are considered metadata. Metadata generally does not include personally identifiable information, however, it is often transmitted in a way that could see it inadvertently cross borders.
For example, when a user logs into cloud services hosted by AWS, metadata relating to login credentials are transmitted to AWS’ servers in Virginia for authorization. Even though the metadata leaving Canada does not contain personally identifiable information, the transfer of data outside Canada could still technically be interpreted as a FIPPA violation.
Why Metadata Changes are Important?
Concerns surrounding metadata have previously prevented public sector uptake of cloud services, despite the availability of many Canadian-based cloud providers, including AWS. The new changes outlined in Bill 35 seem to now allow the temporary transfer of metadata outside of Canada. This is positive news – BC public sector agencies will have greater access to cloud services, while the public can rest assured that their data is protected.
The passing of Bill 35 has loosened some of the restrictions that have made the adoption of cloud services challenging, but the new changes do not mean that B.C.’s public sector agencies are free to move data outside of the country. While the amendments address some key challenges, Canadian data residency still remains a top priority.
For more information on how to move your public sector organization to the public cloud, while keeping your data in Canada, download our Canadian Data Residency white paper.