Second Session, 42nd Parliament (2021)
OFFICIAL REPORT
OF DEBATES
(HANSARD)
Thursday, November 4, 2021
Afternoon Sitting
Issue No. 126
ISSN 1499-2175
The HTML transcript is provided for informational purposes only.
The PDF transcript remains the official digital version.
CONTENTS
Routine Business | |
Orders of the Day | |
THURSDAY, NOVEMBER 4, 2021
The House met at 1:03 p.m.
[Mr. Speaker in the chair.]
Routine Business
Tributes
WARD KINDLEIN
Hon. B. Ralston: I rise to share some sad news. My constituency assistant Ward Kindlein died recently. I want to say a few words about him here in the House.
He joined my office in 2018, working as a constituency assistant. He had serious health challenges, although he never complained about them and would not want to be defined by them. Nonetheless, it’s worth noting that he performed his job admirably, although he was what’s described sometimes as a double amputee.
I was present when he gave a short speech in 2018 to a non-profit about the transformative effect the opportunity to work and serve our community had upon him and the opportunities that he felt it had given him. Understanding, as he did, the impacts of genuine adversity, he provided empathetic and thoughtful advocacy for citizens who sought help from our office.
In a letter that the Premier wrote to his family, the Premier says: “With compassion, strength and dedication, he touched the lives of so many over the years, and his hard work will not soon be forgotten.” In short, he loved his job, and he was very good at it.
He leaves his daughter, Courtney Kindlein, and his son, Shaun Kindlein. Although he was separated from his wife, Lisa Kindlein, they remained very much good friends.
Rest in peace, Ward.
Personal Statements
APOLOGY FOR COMMENTS
Hon. N. Simons: I would like to rise today and apologize unequivocally for a note that I sent to a friend and colleague in this House earlier today. I meant no offence, and I would apologize to anyone who feels offended by it. It was intemperate and arrogant and was not intended to impugn anyone. I’m sorry about that.
I apologize to my colleagues on both sides of the House and to you, Mr. Speaker.
Orders of the Day
Hon. M. Farnworth: I call continued committee stage, Bill 22.
Committee of the Whole House
BILL 22 — FREEDOM OF INFORMATION AND
PROTECTION OF PRIVACY
AMENDMENT ACT, 2021
(continued)
The House in Committee of the Whole on Bill 22; S. Chandra Herbert in the chair.
The committee met at 1:08 p.m.
On clause 9 (continued).
Hon. L. Beare: Prior to our adjournment before lunch, I did promise the member for Skeena that I would provide some information. So I’ll read some information into the record for the member.
The principal purpose of the new term “Indigenous governing entity” is to replace the current term in the act, “Aboriginal government,” to ensure that this legislation refers to Indigenous peoples rather than Aboriginal peoples, to better align with the UN declaration on the rights of Indigenous peoples. The scope of who is captured by this definition has not changed.
The member noted that the term “Indigenous governing entity” is different than the term used in the Declaration Act, Bill 41, “Indigenous governing body.” As noted yesterday, the term used in Bill 22, “Indigenous governing entity,” includes an Indigenous governing body, as that term is defined in the Declaration Act, but also other Indigenous entities that exercise governmental functions.
It was important to the ministry to use a broader term to be inclusive and to ensure that Indigenous entities currently considered an Aboriginal government can be considered as an Indigenous governing entity under these amendments.
We recognize the governance structures within Indigenous nations vary, and the term “Indigenous governing entity” allows government to address the appropriate and appointed entity regarding access to information and privacy matters in cases where an Indigenous governing body has not been tasked by its peoples to address these issues specifically.
Put more simply, the objective is to use a term that is more reflective of contemporary terminology and standards regarding Indigenous self-government and self-determination while ensuring that it is broad enough that entities which were previously covered by the term “Aboriginal government” in the act are not excluded.
Clause 9 approved on division.
On clause 10.
B. Banman: Would the minister please explain: what is the rationale for the changes in this section?
Hon. L. Beare: There are minor language amendments in this section that enhance consistency across the statutes. Adding a reference to the “digital archives” ensures alignment with the Information Management Act.
B. Banman: Especially when one considers the news report of yesterday, I think it’s rather timely, with regard to the museum that is literally across the street. How will this affect any Indigenous peoples’ archives or museum artifacts?
Hon. L. Beare: There is no change here. This amendment is about alignment of minor language across the acts.
Clause 10 approved on division.
On clause 11.
B. Banman: On clause 11, were any Indigenous groups consulted on this change? If so, how many?
Hon. L. Beare: I have previously outlined all the groups that were consulted, so I don’t think the member wants me to go through that again specifically. One of the changes that was contemplated in that consultation was updating language throughout the act.
B. Banman: Was the language change the idea of government, or was it the idea of First Nations or Indigenous groups?
Hon. L. Beare: I think the member can well agree that this change is overdue, and using correct, updated language in the act is the right thing to do.
B. Banman: I won’t belabour that point, but that really didn’t answer my question. The question was: who came up with the idea?
I’m going to move on. What does repealing subsection (3)(h) do?
Hon. L. Beare: The change to section (3)(h) provides certainty that the identity of the third party that provided a personal recommendation and evaluation, or character reference, is always protected from disclosure.
B. Banman: What defines a “compelling circumstance” referred to in subsection 33(3)(h), in relation to clause 11?
Hon. L. Beare: I think the member is looking at (3)(a), when looking at the compelling…. But that’s okay. We’ll work it out here. That disclosure would be for any sort of potential impending threat that would jeopardize safety, for example.
B. Banman: To clarify, did the minister say (a) or (h)?
Hon. L. Beare: The member asked the question that had (3)(h) and asked what would be that compelling circumstance — an example of that. There is no compelling in 33(3)(h). There is compelling in 33(3)(a), and that’s for health and safety.
B. Banman: I have no further questions on clause 11.
Clause 11 approved on division.
On clause 12.
B. Banman: What does adding “section 18.1” to section 23…? What does that do, and how will this affect the act?
Hon. L. Beare: This is outlining the process for consultation to seek consent from Indigenous partners regarding information that might cause harm that is being considered for release, as we previously discussed. This was the section that I referenced upcoming that contemplates that consent.
B. Banman: Thank you very much. But how will it actually affect the act?
Hon. L. Beare: This amendment extends the applicability of section 23 of FOIPPA respecting a public body’s obligation in relation to notification to third parties to include notification to Indigenous rights holders when a public body intends to give access to a record that the head has reason to believe contains information that might be excepted from disclosure under 18.1.
Clause 12 approved on division.
On clause 13.
B. Banman: This bill removes many provisions that actually safeguard information. In this, could the minister please provide an example in this act of information that can or could be disclosed.
Hon. L. Beare: The only information that can be disclosed is to the people and for the purposes that are set out in section 33 of the act.
B. Banman: If an individual violates section 25.1, what are the penalties?
Hon. L. Beare: The potential penalties for violating this section are set out in section 65.6.
B. Banman: Does that involve monetary penalties? If so, what are the amounts?
Hon. L. Beare: So 65.6(2) says: “A person who commits an offence under section 65.3 or 65.4 is liable on conviction, (a) in the case of an individual, other than an individual who is a service provider, to a fine of up to $50,000, (b) subject to paragraph (c), in the case of a service provider, including a partnership that or an individual who is a service provider, to a fine of up to $50,000, and (c) in the case of a corporation, to a fine of up to $500,000.”
Clause 13 approved on division.
On clause 14.
B. Banman: This clause removes a number of sections of the act: 34, 35 and 36, to be exact. Only 33 of the act stays. So what are the intended results of the proposed amendment in subsections (c) and (d)?
Hon. L. Beare: Section 27 establishes that a public body may collect personal information from a source other than the person it is about if it’s disclosed to the public body under limited specific circumstances under FOIPPA. However, the authority for collection does not adequately parallel the current disclosure authority afforded under FOIPPA and fails to enable public bodies to collect personal information. So that’s the change you see before us, Member.
B. Banman: Was there Indigenous consultation on subsection (c.1)?
Hon. L. Beare: I’ve gone through the consultation process with the member a few times, and I don’t think the member wants me to read that into record again. I think what the member does want to know is that this section, this clause here before us, clarifies existing process and is making sure that it’s documented in the act for clarity.
B. Banman: The minister is right. I don’t need to hear the long, lengthy list that she was gracious enough to ply us with.
What I really want to know is: was this subsection specifically…? Were Indigenous stakeholders and/or people or groups…? Was this clause specifically consulted with them?
Hon. L. Beare: I have outlined our consultation process. There’s nothing new in this section here. It’s ensuring that we document existing practice.
B. Banman: The minister will probably be pleased to know that the last question I have on this clause is: can the minister please explain what is meant in subsection (c.2)?
Hon. L. Beare: This allows for the information that’s collected from a body disclosing it under enactment from another province or of Canada. As I’ve outlined to the member, it’s nothing new in the act. It’s nothing new in practice. We’re making sure the practice is documented in the act.
Clauses 14 to 16 inclusive approved on division.
On clause 17.
T. Stone: I’m pleased to stand on section 17 here and ask a series of questions to the minister. I appreciate her time and the time of her staff that are with her today.
Section 17 is one of the areas in this bill, one of the sections, that deals with this data residency question. Specifically, the data residency piece in this legislation provides for removing the current requirements for data to be stored here in British Columbia. There’s another piece of the data residency I question that is contained within, I believe, section 20. So I may have some additional questions at that time, but I’m going to focus the vast majority of my questions on the broader theme of data residency here in section 17.
I guess my first question would be this, as a high-level, very general question: can the minister walk us through the government’s thought process that led to their decision to remove all data residency provisions, thus allowing for the personal information of British Columbians to be potentially stored outside of Canada?
The Chair: Just for greater clarity, everyone, clauses 14, 15 and 16 were approved on division. I don’t know that the mics caught that.
I see a member seeking leave to make an introduction, I believe. The Minister of Jobs, Economic Recovery and Innovation.
Leave granted.
Introductions by Members
Hon. R. Kahlon: Thank you, Mr. Speaker.
The Minister of Agriculture, the MLA for Saanich South, was not able to be in the chamber right now. But I know that there’s a class of 25 students from Claremont Secondary that are in the gallery right now. I believe their teacher, Mr. Neufeld, got a very warm welcome from the Leader of the Third Party as well as the minister yesterday. It’s lovely to see them here today.
Thank you for coming.
Can the House please make them welcome.
Debate Continued
Hon. L. Beare: Over the past years, since we began looking at this bill in 2017-2018, we’ve listened and we’ve learned from the public, businesses and organizations, through extensive consultation, that organizations like universities, health authorities and tech companies have repeatedly told us that our current legislation and our data residency rules are outdated. They’ve stopped them from being competitive and, very importantly, stopped them from being responsive to people’s evolving needs.
It’s our role as government to listen to what is going on in people’s lives, businesses and organizations. That’s why we’re adapting. That’s why we’re proposing these amendments.
T. Stone: I’m going to refer to the Information and Privacy Commissioner’s letter, dated October 20, that was sent to the minister. This letter has been canvassed in great detail in other sections of the bill to this point.
One of the areas of concern that the commissioner has expressed his greatest frustrations, worries and concerns about the government’s approach, through Bill 22, relates to data residency. While he acknowledges that amending the legislation around data residency to better align British Columbia’s data residency framework with other jurisdictions is necessary, he goes on to say: “However, as you are aware, I am deeply concerned about how government proposes to do this. The proposed amendments remove the data residency requirement altogether, leaving any protections to regulations, about which we know nothing.”
This is compounded by the fact that the repeal of all current provisions related to data residency, the protections that are in the current FOIPPA act…. Section 17 eliminates those current sections. It eliminates section 30.1 of the current act. That’s the “Storage and access must be in Canada” section. It eliminates section 30.2, which is the “Obligation to report foreign demand for disclosure” section. It eliminates section 30.4, which is the “Unauthorized disclosure prohibited” section, and it eliminates section 30.5, which is the “Notification of unauthorized disclosure” section.
These requirements that are there today will all be eliminated upon royal assent, meaning the protections will be lifted before new regulations, presumably, have been developed and deposited and are, therefore, enforced. Regulations that, presumably, would contain whatever the government’s approach intends to be with respect to data residency and the broader question of protecting the personal information, protecting the data, of British Columbians.
The question for the minister would be this. In light of the extreme concern that has been expressed by the commissioner, as I just read into the record from his letter, and the fact that he and many others have asked for details on what the government intends to replace the existing data residence requirements with, can the minister explain why section 17, which removes the current data residency provisions, will come into force upon royal assent, prior to the development and approval, or at least the cabinet approval, of the regulations that, presumably, would contain the new data residency requirements, moving forward?
Hon. L. Beare: I want to make sure that the member knows that it’s not correct that this bill has no protections at all for personal information disclosed outside of Canada. FOIPPA’s current security requirements, which are in section 30, remain in place, and they require more security controls. This change alone would put us in line with other provinces. But remember, we are the only jurisdiction across Canada that has this outdated legislation.
This change alone would put us in line with those other provinces, but we went further than that, even, to ensure additional protections are in place. So the very ability to have a regulation and to add controls on disclosures outside of Canada is a power above and beyond the other provinces. The ministerial regulation will be ready if and when, at the will of the House, this bill receives royal assent.
T. Stone: We’ll get into questions around security concerns and protocols with respect to storing data outside of Canada. That’s what this section does. This section eliminates the current requirements in FOIPPA for storage and access of information to be in our country — to be here in Canada, to be in data centres on Canadian soil.
I respect the fact that section 30, as the minister has pointed out, speaks to the protection of personal information. We will get into significant concerns that we have, in the opposition, which I think are shared by the commissioner and by other British Columbians around the security protocols and the arrangements that will be in place to ensure that a level of protection and security on personal information and on British Columbians’ data is as strenuous and as stringent outside of the country as it is in the country.
This section we’re talking about here and now, section 17, eliminates the requirement for the storage and access of data here in Canada. That’s what I want to focus on. It’s fair enough for the minister to say that the regulation will come at the time of royal assent or shortly thereafter. I know how the whole regulation process works, because I did serve in cabinet. She’s in no position to state in this House that the regulations will definitively be ready on the same day that royal assent takes place, because she doesn’t know when royal assent is going to take place.
The issue here, as the commissioner has identified, is there is a repealing of the current requirements around storage and access of data in Canada, which are being eliminated, and there is no statement, no indication, from government as to what’s going to take the place of these sections that are being eliminated.
I’ll go back to the commissioner’s letter. In his concerns around data residency, he goes on to say: “With respect, it is not enough for the government to say that guardrails will be put in place in regulations at a later date. As section 33.1 currently reads, if the government chooses to not pass a regulation, there will be no protections at all for personal information disclosed outside of Canada.”
Again, why would the minister have allowed for such a risk to take place? Why would a piece of legislation be brought forward that eliminates requirements for storage and access of personal information and similar-type data here in Canada without having regulations — or at least draft regulations or details of intent that will be built into regulations, all of that information — on what the new landscape’s going to look like?
Have that ready for the commissioner, for British Columbians, for this House to see so that we can have some level of confidence that the protections related to the storage and access of data, the changes that the government’s proposing to make through this bill…. There will still be those strenuous, strict protections in place on the personal information and data of British Columbians.
[N. Letnick in the chair.]
Hon. L. Beare: I think it’s important to begin by saying that our government is committed to privacy protection and protecting people’s personal information. We’re going to be going through that in this bill — the number of ways that we’re doing that.
In 2004, when B.C. made this change, no other provinces followed suit. We are aligning with other jurisdictions all across Canada, including Canada. This is something that businesses, sectors and people have been asking for. The very fact that we have the ability to put in regulation and add controls on disclosures outside of Canada is a power above and beyond all the other provinces.
I think it’s important for the members opposite to hear some of the information that we’ve been hearing and the feedback we’ve been getting.
We have a quote here from UBC, one of our associate vice-presidents: “UBC welcomes these proposed amendments. They will substantially increase the privacy and security of personal data with more robust and resilient services by allowing us to select the most secure and effective solutions. We appreciate the opportunity to collaborate with government on changes that will boost the competitiveness and efficiency of B.C. post-secondary institutions while helping to protect our students, faculty and staff.”
T. Stone: Well, my question wasn’t: is the minister, personally, or is the government, generally, committed to protecting the privacy of information here in our province? I’m going to go out on a limb here and suggest that I’m going to take the minister at face value on that when she says that the government is committed to that.
The issue that I’m trying to focus on here, and what my questions to this point are related to, is why we did not see the details of what those protections are actually going to be. Section 17, as I said, eliminates the current sections of FOIPPA that require the storage of this important information, this personal information, here in the country and replaces it with nothing. Nothing. It basically leaves it to regulation. That’s the point.
Frankly, as someone who has a bit of a background in the tech sector, I find that omission in this legislation to be galling. I don’t understand why the government wouldn’t have included in this legislation, in the actual bill, the details around the framework for protecting information.
If we’re going to allow for information to be stored outside of Canada, which is going to be allowed if this section passes — and the subsequent amendments and other sections that relate to this — what takes its place? Where are the details around what protections will be in place if the data is, indeed, stored on servers or in cloud environments outside of British Columbia and outside of Canada?
My question to the minister, which she didn’t answer, was: on such a fundamental issue — the provision of security requirements on data that, presumably, could now be stored outside of our province — why will this section 17, upon royal assent, take effect and regulations won’t yet be in place? Why is the minister doing it this way, potentially putting at risk or creating unnecessary risk around this? That was my question.
I’ll ask it again. Why did the minister allow for this risk? Why is the minister taking something as fundamental as the security protections related to the storage and access of information, which can now be presumably done outside of Canada…? Why are the details of that going to be dealt with in regulation as opposed to being embedded in this legislation, which actually would have afforded this House, on behalf of the people we represent in this province, an opportunity to stress-test the provisions, to actually ask focused questions about it, to actually debate the provisions?
Instead, these security provisions are going to be dealt with in the dark room of cabinet where there’s not going to be…. And you can roll your eyes. Been there. Cabinet is going to decide what these protections are going to look like, and they’re just going to be deposited, totally circumventing again, which has been a theme up to this point on a number of other sections, the Legislative Assembly and the work that we could and should be doing here.
Again, why is the minister allowing for such a risk in not having developed even draft regulations that would show British Columbians what the intent is to replace the provisions, which will be eliminated should section 17 pass, and these sections specifically dealing with storage and access of information by public bodies — that the storage and access no longer has to be in Canada?
Hon. L. Beare: I want to make sure the member knows that operating like this is not new. Other jurisdictions all across Canada have been operating this way safely for years. We have been operating this way for the past 20 months here in British Columbia through a ministerial order to respond to the pandemic.
Our regulations that will be implemented — provided that, at the will of the House, this bill passes — go above and beyond every other jurisdiction in Canada that doesn’t even have the power to put in regulations, as we do right now, or will have with this bill. We are going above and beyond.
I think it’s important, Member, to know what’s going on in people’s and in businesses’ lives here in British Columbia.
I’m going to read the member another quote. We have FreshWorks Studio here in B.C., here in Victoria, saying that “B.C. has proposed amendments to its FOIPPA,” Freedom of Information and Privacy Act, “which include updates to B.C.’s data residency requirements. For individuals and businesses across B.C., this opens up many possibilities for faster, more streamlined, accessible services while offering even greater protection of personal information.”
T. Stone: Well, I find it fairly disconcerting in the minister’s comments moments ago where she says, basically, don’t worry. “You don’t need to worry. The regulations will come. They’re going to be in line with what may exist in other jurisdictions. Just trust us. Other jurisdictions are operating this way.”
I mean, that would be like saying to new drivers in British Columbia that just because you turn a certain age, you don’t have to go and do any training or get any licensing or whatever. “We’re developing the details on that. We’re going to model it on other jurisdictions. Have a good life.”
We’re talking about the current provision that requires data, personal information of British Columbians, to be stored here in Canada. I’m well aware of advances in technology. I’m well aware of cloud services, cloud computing. I’m well aware of the latest and greatest technologies that are used in large enterprise organizations around the world. What I am concerned about is that…. I’ve asked a number of questions to this point already, trying to get, from the minister, a sense of why she’s basically putting the cart before the horse here.
We’re being asked to sign off on a bill, Bill 22, that has a whole ton of details, pretty important details, that will be left to regulation and that won’t be subject to any scrutiny of this House. They’re not going to be stress-tested in this House. There are not going to be any tough questions of the minister on specifics, because most of these specifics are going to be dealt with in the secrecy of cabinet at some later date. Pardon me for not just taking the minister at her word that the regulations will be out the moment that royal assent takes place.
It didn’t have to be this way. The minister could have brought forward a bill…. I mean, frankly, the minister should have actually respected the special committee. I’m not going to canvass that anymore. I think that horse has been beaten to death — rightfully so. But the process of the special committee of this House, among many other matters, should have been the place where there was a starting point for feedback, input and engagement on data residency and any changes that might be necessary to modernize, update or improve our data residency regime.
The government decided not to do that. The next-best thing would have been that they could have hard-coded, in the legislation, the specific provisions around data residency, so that we could actually debate those details here in the House. The minister and the government decided not to do that. I’m baffled as to why the minister won’t answer the questions that I’ve been asking.
Let me reference back to the commissioner’s letter. This relates to the concept of draft regulations. I believe that the minister is on the record saying, I think earlier in debate on Bill 22, that draft regulations aren’t something that’s done. I’m paraphrasing there, but it was along those lines.
The commissioner said in his letter dated October 20: “I note that it is quite routine for governments to disclose draft regulations for public consultation and legislative scrutiny. For example, the federal government published draft regulations under Canada’s anti-spam law, giving legislators, regulators and stakeholders ample opportunity to comment on them.”
Imagine that.
“There is no legal or constitutional impediment to doing so here, and I urge you,” as in the minister, “to publish any draft regulations, or details of regulations, for public comment. The issues at stake, particularly respecting the data residency amendments, are too important, and meaningful debate depends on everyone knowing what is intended.”
As with the rest of the commissioner’s letter, I think he really nailed it. It’s about understanding the government’s intent here. What is the intent of what the new regime, the new rules, will look like when, presumably, section 17 passes this House, this bill receives royal assent, and the current storage and access requirements, as contained in the current act, disappear? Where are the details around the government’s intent?
My question to the minister, again, is this: is the minister prepared to make public the draft regulations — which, contrary to what she has said previously, is a practice that has been utilized in other jurisdictions, including in the Canadian Parliament and the federal government? Is the minister prepared to publish, or make public, draft regulations respecting the new data residency requirements that her government is contemplating?
Will she make those draft regulations available for the commissioner and everyone else to see so that we can offer input, comment on them and suggest improvements? In doing so, in making those draft regulations available, will she stand down the sections related to data residency, or accept amendments, through this bill debate process, to change the commencement of the sections related to data residency from being upon royal assent to upon the deposit of regulations? That would at least afford some time, one would think, for some reasonable input and constructive engagement, not the least of which should take place with the commissioner.
Is the minister prepared to make public draft regulations with respect to data residency?
Hon. L. Beare: Member, as I’ve answered before, other jurisdictions all across B.C., including the federal government, have been operating safely this way for years. We are aligning with those other jurisdictions all across Canada. We are ensuring that we have the ability for regulation which goes above and beyond all other jurisdictions in Canada.
That’s something that we’re putting into the bill to make sure that our government remains committed to protecting people’s privacy and privacy protections in general. Again, we’re going to make sure that we add those controls. I thank the member for the question.
Chair, if we could please request a ten-minute recess.
The Chair: We’ll recess till 2:30.
The committee recessed from 2:23 p.m. to 2:32 p.m.
[N. Letnick in the chair.]
T. Stone: Happy to be back. Just prior to the break there, the minister used a phrase that she has said several times in our short discussion thus far on this section 17, related to data residency. She keeps using the phrase that the regulations or the rules, the requirements that are coming, are going to be “above and beyond.” They’re going to go above and beyond what exists in other jurisdictions in Canada. Fair enough. I hope that’s the case.
Interjections.
The Chair: Members, the conversation is interrupting the speaker.
T. Stone: Thank you, Chair.
I certainly hope that’s the case. But the way that this process is supposed to work is that when we’re asked, on behalf of the constituents we represent, we’re supposed to scrutinize legislation and, in doing so, understand what the content is, what the details are of the government’s intent through the legislation. We’re supposed to be able to have that debate and discussion here.
My point, in the questions I’ve asked thus far, is not: are the regulations going to be above and beyond what other jurisdictions have? My questions have related to: why do we not know what any of those details are? Why are we here debating a section that’s being repealed and will be replaced with new requirements that will be dealt with through regulation, meaning none of us have a clue what the government’s intent is on this section? That’s what I’m trying to get to the bottom of.
While there are a lot of other sections in this legislation which are, frankly…. “Harmless” is the wrong word, but they’re more administrative in nature. This one is pretty darned important. It relates to personal information and the storage and access of that personal information, where it’s going to be stored and accessed.
The minister, in her previous couple of answers, has also stated that this is just to bring our laws, our requirements, around data residency in line with other jurisdictions.
She has made some comments, I think last Thursday during debate and also in media reports, that no other jurisdictions in Canada have the requirements that we still operate under here in British Columbia. That’s simply not entirely true. So I want to set the record straight on that point, as well, with the help of the exceptional researchers here in the Legislature.
There are a number of jurisdictions in Canada that have retained very specific requirements around the security and the access of information and, in many cases, requiring that said information be stored within Canada.
In Nova Scotia, the personal information disclosure protection act, under section 5, requires public bodies and their service providers and associates to store only in Canada and make accessible personal information in their custody or control only in Canada. That’s Nova Scotia.
Similarly, New Brunswick has a requirement almost identical to that in their Personal Health Information Privacy and Access Act. I believe it’s section 55(2). New Brunswick also deals with this requirement in a very clearly stated systems security policy, policy AD-7107.
Newfoundland and Labrador has very strong requirements on the books with respect to the storage and access of information. Quebec probably has the most current set of data storage and access requirements, the most recent changes of a provincial jurisdiction.
These other jurisdictions all have protections in place. British Columbia currently has protections in place in FOIPPA. Those current requirements around storage and access of information are about to be repealed through this section 17, and we don’t know what’s going to replace them. That’s the question.
I’ll ask it again to the minister. I’m going to ask it again in the context of yet another comment that the commissioner has made. The commissioner has called this legislation “a blank cheque” for government to use information storage outside of Canada. I’ll say that again. The commissioner has said this legislation is “a blank cheque” for government to use information storage outside of Canada.
Could the minister please tell us, in the comments that the commissioner has made related to data residency, the comment that I just read into the record that’s from the commissioner — the commissioner’s weighing in on this data residency issue — where has the commissioner got it wrong? Where has he got it wrong?
Hon. L. Beare: To be clear with the member, as I’ve said, the variability to have regulation and add controls and disclosures outside of Canada is a power above and beyond other provinces. The section 30 remaining in place alone would put us in line with other provinces, but we went further to ensure that additional protections are put in place.
For the member, this is an important change that businesses, people, organizations have been asking for. We’ve been hearing repeatedly that our current data restrictions are out of date and not allowing our sectors to flourish.
I have a quote here from the city of Kelowna. “Local governments are being asked to deliver services effectively and efficiently with the best citizen experience possible. With changes to data residency policy, this will allow organizations to meet the need of customers while still protecting our digital assets.”
T. Stone: Again, I think it’s interesting that when I’m asking a process question here, why are we putting the cart before the horse…? Why are we being asked to debate a bill, scrutinize a bill? That’s what the committee stage is all about. This is about scrutinizing the details that bring a bill to life, section by section. We scrutinize the intent of the government. We scrutinize the mechanics of what’s being proposed, the potential risks, and so forth.
As I’m asking these process questions, the minister keeps responding with: “Unlike other jurisdictions, we’re going above and beyond.” How is not knowing what the minister’s and her government’s intent is…? How is not knowing what the provisions related to the storage and access of information, presumably outside of Canada…? How is not knowing that today, while we’re being asked to support this Bill 22, a significant overhaul of FOI legislation in this province…? How is not knowing those details “going above and beyond”?
I can’t stand here and say — I won’t say — that I trust the minister and the government on this. I have so many other concerns in other sections of the bill that have been spoken to, addressed by other members of the opposition. Forgive me if I don’t just trust the minister at her word that at some point in the future, after royal assent of this bill, the details will be released and will be known to everyone. That’s not how this is supposed to work.
Again, we’re talking about the personal information, highly confidential information, data assets of the people who live in this province. These provisions are just going to be repealed and replaced with something, presumably, at some later date. It might happen right at the time of royal assent. It might come the next day. It might come a month later. It might come six months after that. As the commissioner has said, none of that is acceptable. We should know what the government’s intent is.
Interjection.
T. Stone: The member for Saanich North and the Islands is quite correct. The commissioner has said there’s a possibility that there may not be regulations that actually come. That is not acceptable.
I’m going to move on because we’re clearly not achieving much here in terms of the minister addressing the very, very simple, straightforward question as to why these details are not being provided to us, why the commissioner has not been brought into this process.
On that point, the commissioner said in his letter another concern related to this. He said: “Unlike the development of other regulations, such as those regarding data linking, section 76(2.1), government is not required to consult me or anyone else on the development of data residency regulations.” So not only are we just supposed to trust the minister and trust the government that whatever provisions that might come in regulations at some later date related to data access and storage, if ever they come forward….
The minister is also removing, essentially, the oversight of the commissioner with respect to data residency and the regulations related to data residency.
My question to the minister would be this. Why would the government maintain a provision for consultation with the commissioner on a number of other aspects of the bill but not when it comes to data residency? Why is this government taking away or removing a requirement to consult with the commissioner with respect to data residency?
Hon. L. Beare: At no point does this bill take away what the member is asserting.
T. Stone: I’m not asserting it. The commissioner is asserting it. Has the minister read the commissioner’s letter, dated October 20? The commissioner says very clearly: “Unlike the development of other regulations, such as those regarding data linking…government is not required to consult me or anyone else on the development of data residency regulations — section 76.1.”
Where in that quote from the commissioner are we missing the mark? Where is the commissioner missing the mark? Could the minister please enlighten us and enlighten the commissioner on where he is wrong in what he has said very clearly with respect to not having oversight, not needing to be consulted with respect to data residency?
Hon. L. Beare: In his letter, the commissioner is in no way suggesting we removed any requirements to consult, because the act never had any requirements to consult. This is a new regulation, a new regulation-making authority being given in the act. This regulation will allow us to add protections around disclosures outside of Canada.
T. Stone: This is what I’ve been saying. In section 76.1 of the FOIPPA act, where it lays out ministerial regulation-making power, there is no provision for consultation with the commissioner on data residency. I know that. I can read the act.
What I’m asking is in the context of the commissioner’s letter. The commissioner makes very clear that he sees it as a significant gap. I don’t think I would be overstepping by suggesting that or characterizing it that way. It’s a significant gap or flaw in the process that the minister and the government are following with respect to bringing forward Bill 22 and not having any of the details pertaining to what these regulations are actually going to include.
With that, Chair, out of respect for my friend and colleague from Saanich North and the Islands, recognizing he has some time constraints, I’m going to turn things over to him to ask a few questions, and then we’ll jump back into some additional topics I would like to cover in section 17.
A. Olsen: How are we to protect data with our laws if it’s resident in a different jurisdiction?
The Chair: Just a reminder to all members that when they’re crossing the chamber, they’re supposed to bow. Thank you.
Interjection.
The Chair: The members would like to remind you that if you’re crossing the floor permanently, you do not need to bow. [Laughter.]
However, you might need to duck.
[S. Chandra Herbert in the chair.]
Hon. L. Beare: Under the act, we have section 30, which currently requires us to protect information. The act also requires privacy impact assessments, which highlight and address risk. We have new requirements for privacy management programs that no other province mandates. We have new privacy breach reporting and new requirements and increased penalties for non-compliance.
A. Olsen: Yesterday, as I was walking out of the chamber, a member mentioned to me: “Well, I wouldn’t be so concerned about the situation if the Americans hadn’t repealed the Patriot Act.” Okay. All right. Good thing that they did that. I’m not sure. I’m not following closely with what they’re doing.
However, they could do anything they want. Any jurisdiction could do anything they want. If our data, our information, is residing in that country, we have exposed ourselves, in a way, by repealing these sections that are in this amendment act.
Can a public entity, a public body, store data in any country in the world once the government gets its way and repeals this section, in any jurisdiction in the world?
Hon. L. Beare: I want to thank the member for the question, because it’s a good question. In the act, the privacy impact assessments would address this very concern that the member is talking about.
The privacy impact assessment process considers risk on a case-by-case basis based on the specific activities and information involved in each proposed initiative. A public body must conduct that privacy impact assessment to demonstrate that the information is safe before it is potentially stored elsewhere.
A. Olsen: It was a good question, but I didn’t really get an answer for it. The question that I asked was whether or not data could be stored in any country in the world. That question still stands.
Is it anywhere globally that British Columbians’ information, held by a public body…? Again, I think that we’re hearing the minister talk about private businesses and making comments about data residency. Those comments would be better suited to be left with the PIPA act, which is currently under review right now through that special committee process. This is about public bodies holding information. The question that I asked was whether or not the information could be stored anywhere in the world.
The second question I’m going to ask on top of that now is: in those assessments, are the public entities or the public bodies to be looking at the potential future risk of a law that they have no idea is being contemplated by those jurisdictions in significantly changing the privacy framework in any country in the world? How is anybody to assess that potential?
Part of the reason why the 2016 special committee recommended that we keep our information nice and close — perhaps in the member for Kamloops–South Thompson’s riding, where there is a massive data storage facility — is because that’s where we can get certainty.
The question is: when this bill passes, when they use their majority to push this bill through, can this information be stored in any jurisdiction on the globe? Two, in those privacy assessments, how do we reconcile things we don’t know, like a completely and totally changed government with different privacy laws in those other jurisdictions?
J. Brar: I seek leave to make an introduction.
Leave granted.
Introductions by Members
J. Brar: I thought I should use this time, a very meaningful time.
I’ve been elected about 17 years, and this is the first time that I have six members of my family up in the gallery. So this is a big day for me. I want to introduce them, of course.
This is my father-in-law, Sohan Singh Grewal, and my mother-in-law, Pritam Kaur Grewal. I thank them for the best gift they gave me of my life. They have been there full-time in my six elections, doing everything possible for my victory. They played a huge role there.
With them, they have their granddaughter Jasbir Grewal — she has just completed and become a psychologist, just a few days ago; congratulations, Jasbir — and my daughter Noor Brar. She is just finishing an undergraduate degree at UBC and working hard to get into medical school. I wish you well for that as well.
My son Fateh Brar is sitting there. He is a bit shy sometimes, but he’s in school doing an excellent job as well.
Last, but not least, my beautiful wife, Rajwant Brar, who has done — I can’t even define — an excellent job, super job, to support me in this career.
I love you, and I appreciate what you do. I don’t have the words to define what you’ve done for me.
I will ask the House to make them feel welcome.
The Chair: Thank you, Member. Welcome to your guests.
Debate Continued
Hon. L. Beare: I do want to remind the member and this House that other jurisdictions have been operating this way safely for years, and we’ve been operating this way safely for the past 20 months.
The member is looking for a blanket statement that can’t be given. Each privacy impact assessment is done on a case-by-case basis, and data can only be stored where it’s safe, according to those privacy assessments. Those privacy assessments are routinely updated as programs change.
A. Olsen: Clearly, the minister does not want to tell British Columbians that their data could be stored in any jurisdiction around the world, whether or not they might be able to achieve the assessment for any country in the world. It would be nice if the minister would just stand up and say that.
The reality also is that, while they have to be updated, countries around the world, jurisdictions around the world, are changing their laws, similar to when the United States didn’t have the Patriot Act, and then the United States had the Patriot Act. It changed its laws. It gave access to information that it held within its borders to its security services that it previously didn’t.
If our data of our public entities is being stored there, we can do all the privacy assessments we want in this province. We can do them every day, for every organization, for every bit of data that is being stored elsewhere. It will make no difference if the National Security Agency or whichever one of those organizations now wants to access that data, because the United States changed their laws. We’re doing assessments here in B.C., but that doesn’t give any assurance to the people of British Columbia that we’re going to be able to extract that data before they get access to it. It’s just a fact.
It’s one of the reasons why the 2016 committee recommended…. This minister has consistently said, over the last couple weeks that we’ve been debating this bill, that they’ve been taking into consideration the recommendations. Not agreeing with them, just taking them into consideration. Ignoring the ones that are not consistent with the things that they want to do, and then highlighting the ones that are consistent with the things that they do want to do.
This minister has regularly, in this process, flouted and sidestepped the processes in here that we have set up, that this House has set up, in order to be able to ensure that our democracy has some meaningfulness and some resilience. For example, one of the respectful things that this minister could have done is referred this idea of a permanent change of data residency to the committee that would….
I know that members of this place are probably growing tired of us referring to the special committee. We’re at the end of a week. Probably growing tired. But when you don’t give the benefit….
You can say all you want: “Well, we’re going to consult.” The process for actual, proper consultation happens at that special committee. Let’s talk about it.
You know what? We’re talking about it in the other committee that is for PIPA, the Personal Information Protection Act. It is an item of concern. To think we’re changing it here for this part and not having the benefit of talking about it is really quite absurd. It adds a level of absurdity to this place.
My hope is the members from the government caucus are listening to this debate and hearing how inconsistent their own actions are. We’ve raised it before, and we will continue to raise it for as long as this bill is being debated. This process is undermining the systems we’ve set up, in this House, for this House to properly function. As minor as the members of the government caucus want to pretend that these changes are, there is a principle that is being attacked here and that must be defended.
It doesn’t matter what section of this bill: data residency is a major portion of this. If you take a look at the amendment act, it’s one line striking out three sections of a piece of legislation, an act. Sometimes the most minor instances in these amendment acts have the biggest impact. We can take the minister on her word, except for the fact that so many of these changes are happening outside.
We are providing the minister, the ministry and this government an enabling power to do whatever they want or to do nothing at all. The government may not bring in any regulations on this section of the act, but once royal assent is given to this bill, it is out of our hands — the House that represents the people of British Columbia. The government doesn’t represent the people of British Columbia; all 87 seats in this place do. The government is given a special responsibility to respect this institution.
I can’t sit by and continue to see this institution disrespected. Will the minister please answer my question? Will data…? I understand that there are assessments. I understand that there are conditions under which those assessments will be evaluated. I understand all the language that the minister wants to put around this — except for actually answering the question.
Will there be an opportunity for British Columbians’ data and information to be stored in any jurisdiction around the world if they comply with the other aspects that the minister continues to provide in response to the question that I asked?
Hon. L. Beare: I think it’s very important that we stress that data can and will only be stored where it is secure. That is very important for the member to know. It’s very important for the public to know that that is the point of the privacy impact assessments: to assess the security of the data.
I think it’s also important for the member to know that amending our data residency provisions will enable B.C.’s public bodies to continue to use tools and provide modern digital services that people need and expect. This is something that we have been hearing from British Columbians — the need. We’re hearing it from businesses and from sectors and public bodies all across this province.
In fact, I have a quote here from Jill Tipping, the president and CEO of B.C. Tech Association. “This is a positive development from government that B.C.’s tech industry welcomes. The change to B.C.’s data residency requirements will allow local companies to leverage cutting-edge technology to help B.C.’s public sector deliver the modern tools that citizens expect with the privacy protections they need.” That’s important.
A. Olsen: One final question from me. Then I’ll stay seated. Does the minister understand the difference between the PIPA and the FOIPPA and where that dividing line is? This bill is actually dealing with the public entities. PIPA deals with the private entities, which she continues to quote in this House for the debate that we’re having on the FOIPPA act.
Hon. L. Beare: I know that the member knows that any business or private organization that contracts to government is subject to the rules under FOIPPA.
T. Stone: I won’t speak for the member for Saanich North and the Islands, but I don’t think that was the question that the member had asked the minister. That seems to be a pattern this afternoon.
I want to go back to a few of the questions we were canvassing with respect to the commissioner — a really simple, straightforward one. In the drafting of this legislation and the preparation of Bill 22 that’s before the House today, why did the minister, in this Bill 22, choose not to include a requirement for consultation with the commissioner on data residency requirements in British Columbia?
Hon. L. Beare: Government routinely consults with the commissioner on new legislation, on new regulations, new programs of interest. We are going to continue that practice moving forward.
T. Stone: Okay. Another “trust me” moment.
I’m not the one flagging this concern. As I said earlier, it’s the commissioner who flagged his concern with there being no requirement for consultation with him on data residency. Frankly, there hasn’t been, with respect to the bill that’s here.
It’s at the whole point of this entire two-thirds of a page of his letter on data residency where he goes to great lengths to express his frustration for not understanding the government’s intent with respect to data residency — no provision for draft regulations, no details shared with him whatsoever on the government’s intent. He wouldn’t have included this concern in his letter if it were otherwise.
The minister can say that there are regular consultations, engagements and so forth with the commissioner. I know that they have conversations. I know that there are meetings and so forth, but these are not my concerns that I’m expressing. These are the concerns of the commissioner in and of himself. I think it does reflect a missed opportunity, in this piece of legislation, not to have proactively added a requirement for consultation with the commissioner with respect to data residency.
I want to move on. The commissioner, in his letter, also outlines a number of items that he believes should be included in the regulations, that he hopes will be in the regulations, that he would like to see built into the regulations. I want to just quickly canvass a few of these points. In the absence of having any of these details in the legislation or having any draft regulations, we’re left to pretty much throwing darts at a dartboard here with the minister just to try and get a sense of what the intent is with respect to section 17.
The first question is: will the regulations require public bodies to conduct privacy impact assessments before deciding whether to export personal information? It’s a very specific question, yes or no.
Hon. L. Beare: It’s already required under the legislation that a privacy impact assessment be conducted on any new system, project, program or activity, and that remains the same under this proposed legislation.
T. Stone: Will these privacy impact assessments include the sensitivity of personal information? Will these assessments include the purpose of the disclosure?
Hon. L. Beare: The contents of the regulation are a separate process, as we have already canvassed with the member. But all privacy impact assessments must consider how information is kept safe, which would include considerations like the member mentioned.
T. Stone: Again, they would be inclusive of the sensitivity of personal information and the purpose of disclosure. Does the minister want to just say yes?
Hon. L. Beare: That’s correct, Member.
T. Stone: Will these privacy impact assessments include “contractual or other measures in place to provide the real protections” that are needed? Again, that’s directly from the letter that the commissioner provided. Last, out of his letter, the commissioner is hopeful that the regulations will ensure that these assessments include “the legal framework of the foreign jurisdictions” that are involved.
I’m just looking to the minister that, indeed, these additional provisions that I’ve just detailed, which, again, are in the commissioner’s letter, would be included in the regulations that are under development.
Hon. L. Beare: It’s the same answer as I gave the member before. The contents of the regulation are part of a separate process, as we’ve already canvassed, but all privacy impact assessments must consider how information is kept safe. That consideration will be given to things like the member mentioned — the contractual measures for real protections and foreign jurisdictions. Those considerations will be looked at in the regulation.
T. Stone: I want to canvass for a moment why this is really, really important so that we have this on the record. There are a number of jurisdictions in other parts of Canada and in the world that have put in place very, very strict equivalency requirements that ensure, as best as can possibly be put in place, protections on these digital assets, this information.
In Quebec, which I mentioned earlier in our discussion, the Quebec government recently passed legislation overhauling their number of aspects of how data is managed. While their legislation does provide for the storage and access of data outside of the borders of Quebec and Canada, there are some very strict requirements set out. Specifically….
I’ll just read this. “Before disclosing personal information outside Quebec, including for outsourcing purposes, an enterprise will be required to conduct a privacy impact assessment” — and this is the important part — “to evaluate whether the information will receive a level of protection equivalent to the one provided under Quebec law.”
That’s a very, very important point, and that’s what I’m trying to get at. I think the commissioner was trying to get at, in his letter, that the equivalency requirements must exist to ensure that when data leaves the province, leaves the country, the protections we would afford that data here in British Columbia from a security and access perspective would follow the data to whichever jurisdiction they happen to be in.
The other jurisdiction that has made significant advancements on this is the European Union. In the European Union, they have what is called a General Data Protection Regulation. It deals with personal data that is transferred outside of the EU jurisdiction. It basically means, as I just stated in the Quebec example, that the level of protection that is afforded EU data within the borders of the European Union…. If that data is exported broadly, the company or the institution or the public body is responsible for ensuring that that same level of protection follows the data.
I really want to get to the bottom of this and have on the record the maximum assurance possible from the minister that this equivalency information is going to be detailed in the regulations. Let’s use the United States as a context here. The minister talked about the Patriot Act earlier. She may be correct in that the Patriot Act and other comparable legislation is no longer on the books.
There is nothing preventing the U.S. government, at any time, from enacting legislation that is Patriot Act–like, that would provide the same very draconian surveillance possibilities that, as in the case when the Patriot Act was in full force, included data that was stored in the United States from foreign jurisdictions.
I know it was a long-winded question, but I just think it really cuts to the core of the protections that need to be there on this data, should the data leave the province. Can the minister please confirm…? Or maybe a better way to ask it is: can the minister please advise the House, and advise me and my colleagues, what those equivalency requirements are going to be? Can she confirm that they’re going to be detailed and included in the regulations that are forthcoming in relation to data residency?
Hon. L. Beare: I’ll just prep the House that I will be asking for a recess at the end of this question, so people can plan accordingly.
I very much thank the member for this question because I absolutely understand the intent behind it and the desire to hear a strong, bold statement from government. I want to give the member that. I want to assure this House that it is our government’s belief and intent to protect data, and that is paramount.
We want to ensure that data is protected no matter where it is stored. So we are increasing the privacy impacts and assessments. Those will be strengthened. We are going to continue to do that work. We’re going to be implementing strong, contractual, administrative, technical controls. These are the types of things that keep data safe, no matter where it’s stored.
There are a number of areas throughout this bill where we’re increasing protections, as well, that we haven’t had a chance to canvass yet. We’re going to get a chance to talk about those because we absolutely firmly believe that it is vitally important to ensure that our data is protected. I want to make sure that I said that unequivocally to the member, that we are committed to that.
With that, Chair, I would like to request a ten-minute recess.
The Chair: Thank you, Minister. This committee will be in recess for ten minutes.
The committee recessed from 3:58 p.m. to 4:08 p.m.
[N. Letnick in the chair.]
T. Stone: Before our short break there, we were talking about the need for equivalencies to be detailed and provided for and built into the regulations — again, in the context of security or the protection of privacy, and so forth.
In the U.S. context, I’m wondering if the minister could advise this House if…. Again, assuming the bill passes and the data residency requirements are gone and regulations come in that provide protections of some sort for the storage and access of digital assets in, let’s say, the United States, would that data that would then reside in the United States be subject to U.S. FISA warrants?
As I’m sure the minister knows, the U.S. foreign intelligence court can and does oversee requests for surveillance warrants, warrants for surveillance on digital assets and the like. These requests are typically made by the FBI and by the National Security Agency in the United States, or NSA.
Notwithstanding the Patriot Act and the other things that we’ve talked about, what is the minister’s understanding as to whether or not British Columbians’ data that, in this scenario, would be located, stored and accessed out of the United States…? Would that data be subject to FISA warrants?
Introductions by Members
The Chair: Welcome to the B.C. Legislature. We are currently reviewing Bill 22, which is the Freedom of Information and Privacy Protection Act. We’ve already done second reading. Now the opposition members are asking questions, clause by clause, to the minister to get clarity as to what the bill really means — for later, if it needs to be interpreted by judges or other people. Welcome to the riveting discussion.
Debate Continued
The Chair: Members, sorry, we’re no longer in recess. If you have discussions, could you take them outside, please. Thank you.
Hon. L. Beare: The disclosure authorities that we have within this law, which are upcoming, don’t permit or list disclosures to foreign law enforcement.
I think it’s important for the member to know, though, that it’s the controls put around the data that make the data safe, such as we outlined — the technical, the contractual, the administration controls. Things like encryption ensure that data will be protected, no matter where it’s stored.
T. Stone: Well, again, that response, with all due respect, creates significant heartburn for me and for, I think, a lot of people, a lot of British Columbians. To suggest that some requirement for encryption on British Columbia data assets that are stored in the United States is somehow going to prevent the long arm of the United States surveillance community….
Whether it’s the NSA, the FBI or another like organization that obtains legal warrants in U.S. courts to access data, to suggest that some technical, encryption-type protections wrapped around that data would keep the long arm of the U.S. intelligence community from accessing this information, I think, betrays a lack of understanding, perhaps, on the part of government as to just how significant a concern we all should have about moving our data outside of British Columbia or moving it outside of Canada.
I’ll ask again. Does the minister actually believe some technical protections or encryption protections wrapped around data is going to prevent the U.S. intelligence community, on legally obtained warrants, from accessing that data? Is that what she’s actually saying? Does the minister actually believe that?
Hon. L. Beare: I want to let the member know that just because the data residency requirement has been removed does not mean that all data is being stored elsewhere, here in British Columbia. Government is going to continue to use the servers that are in the member’s riding, as well as across the province. We are going to be in a hybrid model for a very long time, using our domestic servers as well as, potentially, cloud-based platforms.
The privacy impact assessments are being strengthened and require consideration of all measures to keep data secure, including what are appropriate types of data to be stored elsewhere, based on the sensitivity of that data.
T. Stone: Again, I don’t believe there was an adequate response there to the question around GDPR-like equivalencies. What is the government going to ensure is in the regulations to maximize the protection of digital assets and information that is stored outside of the country?
This makes me very, very nervous. I’m worried for British Columbians, who I think have a right to be concerned about their data being accessed in the United States or other jurisdictions and the security and the access of that information being potentially compromised, or at least being lesser than what is afforded here in Canada.
I asked specifically about the U.S. intelligence community and warrants that can be obtained in the U.S. Foreign Intelligence Surveillance Court, typically warrants that are requested by the NSA and the FBI. My specific question was: will B.C. data, which, presumably, will be stored in the United States, be subject to warrants of this Foreign Intelligence Surveillance Court in the United States?
I would really appreciate an answer to that very specific question, because I think it cuts to the core of why British Columbians should really be asking their government why this is necessary. Why are we taking the risk of moving our information or moving information assets, digital assets information and critical data? Why are we taking the risk and allowing for the storage of this data outside of our country?
Are FISA warrants applicable to B.C. data stored in the United States or not? What’s the minister’s understanding?
Hon. L. Beare: Thank you to the member.
Disclosing data outside of the province is not new. Other jurisdictions across Canada have been doing this safely for years. We have been doing this safely for the past 20 months, during the pandemic. The act currently allows for disclosures outside of Canada for a number of reasons, which is why we know how to protect data and keep it safe.
We are strengthening the privacy impact assessments, which will assess what data is appropriate and require those considerations of what data is appropriate to be disclosed outside of our jurisdiction, because we know how important it is to keep data safe.
T. Stone: Well, that’s cold comfort. I didn’t hear anything in that answer other than, again: “Trust me. It’s coming. It’ll be in regulations. The privacy impact assessments are going to be updated.”
You know, that’s great. We should be discussing those specific details here. We’re talking about British Columbians’ data, a lot of which may be personal information, being stored outside of British Columbia. The member for Saanich North and the Islands asked earlier which countries the province is contemplating storing this data within, and we couldn’t get an answer on that.
I’m trying to get to the bottom of: are there going to be security protections built into the regulations, specifically with respect to these privacy impact assessments, to best enable British Columbians to have confidence that their personal information or digital assets in this province aren’t going to be compromised?
I haven’t heard anything other than high-level platitudes from the minister — again, along the lines of “trust me” — that would give British Columbians…. It certainly doesn’t give me any confidence that this has been well thought through. These provisions might not even yet exist. We certainly don’t have them in front of us here.
I’ll move on. The minister has consistently referenced how we’re going to be in a hybrid model for the foreseeable future. She’s talked about how B.C. is not competitive right now with other jurisdictions in Canada and outside of Canada because of our data residency requirements. I think we need to dive into this a little bit more and understand what the minister really means.
We have state-of-the-art data centres that are managing British Columbia’s assets today. By coincidence, one of those data centres is in my riding in Kamloops–South Thompson. The data centres that the province is contracted with to manage our information assets, whether it be health records or ICBC information — I mean, I go through the list — have been managed well here within British Columbia, within the data centre up in Kamloops, for quite a number of years.
If you go to the government website and if you look for details on the data centre the province utilizes here in B.C., a few excerpts say the following: “Tap into the province’s agreement for data centre, managed hosting and data sovereign and data resident cloud services….”
Oh, imagine that. We are actually capable…. We have the technical capabilities here in British Columbia to host and manage cloud services. Maybe that’s what the minister is talking about with respect to being in a hybrid model, as she has said several times.
“Major benefits of the agreement include…energy cost savings realized through server virtualization and by consolidating multiple data centres across the province into two modern…facilities. These tier 3 data centres” — one in Kamloops, one in Calgary — “are backed by 100 percent service levels for power and network availability.” On and on it goes — all these managed hosting services that are part of the province’s contract, including, again, cloud software as a service.
The point I’m trying to make here is that there is data centre infrastructure here in British Columbia and here in Canada that’s quite capable of hosting and managing sensitive information. We’ve been doing it for years. The coming about of cloud-based services and the use of technologies, whether it’s for video conferencing or whether it’s just the ability to access this information much more quickly, in these cloud environments, through the Internet…. British Columbia is at the forefront with this technology.
It’s a question of: why are we not focusing our efforts on utilizing the capacity that we already have here in British Columbia and we have across Canada? Vancouver, Calgary, Toronto, Montreal are not exactly backwaters when it comes to technology. These are cities that have very dynamic and very deep technology sectors and deep expertise when it comes to database management, virtualization, cloud services, and so forth. I mean, we’re a G7 country, for crying out loud.
I would also point out, and then I’ll let…. Obviously, we want to hear what the minister has to say to this. We don’t have to talk about the data centre arrangements that are in place right now in Kamloops and in Calgary.
I’ve met with executives from Microsoft. I’m sure that the minister has. I’ve met with executives at Google. I’ve met with executives at Amazon. I’ve met with executives of all kinds of tech companies. I know many of these people. They will set up servers for managing exactly these kinds of information assets. They’ll set these servers up here in British Columbia. They’ll do it in Canada, if that’s what a jurisdiction requires.
Microsoft has Canadian server data centres today, and they manage all kinds of public body information across the country — Microsoft 365 services, for example. Those services are on servers that are here in Canada, that are subject to Canadian law and that can be accessed and managed by Canadians. Likewise, Google, ServiceNow, AirWatch. There are all kinds of services that can be and are being provided here on Canadian soil.
My question to the minister is: why are we doing this? Why are we putting personal information and other data assets of British Columbians at risk, potentially subject, in the case of the United States, to intelligence surveillance warrants and so forth, as I’ve tried to canvass earlier, potentially subject to Patriot Act–like legislation that may or may not come down the pipe in the future?
Why are we doing this when we have the infrastructure and the capacity to further build out and enhance that infrastructure and continue to utilize Canadians while we are at it? Why are we not managing these assets here in Canada, as opposed to opening the door wide by removing all of the data residency requirements and not telling this House or British Columbians what that means, where the data will go or what the protections will be and potentially risking all of this personal information and these digital assets.
Why is British Columbian and Canadian infrastructure not good enough?
Hon. L. Beare: I agree with the member that the Kelowna data centre is and will continue to be a vital part of our strategic IT plans from government moving forward. As I’ve said, we will be in a hybrid model, and we will continue to use the Kelowna data centre and its on-premise solutions. It’s going to be vital, especially when we talk about the strengthening of our privacy impact assessments in assessing what data is appropriate to be stored elsewhere.
When we talk about all modern tools, they’re not able to be hosted here in British Columbia — for example, Google Classroom or Zoom. I have a letter from a teacher here who just moved back from Alberta, and she writes me: “From a teaching standpoint, Google Classroom is intuitive and efficient. I was disappointed to discover that B.C. school districts rarely use Google and met opposition when I asked my own IT department if we could use it. I’ve since learned that it’s because B.C. has some of the most stringent privacy laws in North America.”
These are tools that our communities have come to rely on during the pandemic, and are only allowed to be used at this moment through the ministerial order. These proposed amendments will give B.C.’s public bodies more choice in the use of modern tools. Many of our trusted vendors need to be able to use modern, commercial off-the-shelf technology that is currently not available within Canadian data centres. This is impeding our ability to deliver digital services to British Columbians.
T. Stone: That’s very interesting — the minister’s assessment. Actually, I will correct her on one point, not that it’s a sensitive Kamloops-Kelowna thing, but the data centre is in Kamloops, not Kelowna. My Kelowna colleagues wish it was there. They get everything else. We get the data centre. I’m just kidding.
I will say, in all seriousness, that certainly, I find it hard to believe…. If the B.C. government and other jurisdictions in Canada were to say to Zoom or to Google, “We want to sign a contract with you to have your services hosted on servers on our soil here in Canada,” I find it very hard to believe that these companies would say no. Microsoft hasn’t said no. Facebook hasn’t said no.
There are all kinds of huge American and international companies that have entered into contractual arrangements with provincial jurisdictions and with the federal government to have their services hosted on servers in Canada. So I don’t think that that answer holds up. It certainly isn’t consistent with conversations that I’ve had, particularly with folks at Google.
I will say that the data centre in Kamloops was built to accommodate the equivalent of four sections of servers. It’s a huge data centre, and of that footprint of four sections, only one section is currently in use.
There is tremendous capacity to expand the servers, and the services on those servers that could be managed by Canadians in British Columbia at the Kamloops data centre. That doesn’t appear to be a priority for this minister or this government.
I want to ask one more time, because I think…. The minister, again, keeps saying: “We’re in a hybrid model. We’re in a hybrid model.” Is she really saying that we’re going to potentially jeopardize or risk British Columbians’ personal information and data because the minister and her government haven’t tried or haven’t been successful at negotiating a contract with the companies in question — Google and, let’s say, Zoom? We’re going to jeopardize British Columbians’ data because Zoom won’t allow their services to be hosted on Canadian servers here in Canada? Is that really where we’re at?
Again, to the minister, has the B.C. government made the decision that the data residency requirements as per section 17 need to go? They’re going to be replaced with the allowance for moving, storing and accessing British Columbia data in, say, the United States, because the government hasn’t tried or hasn’t been successful at negotiating contracts with companies like Zoom and Google, when, apparently, we’ve had success at negotiating very similar contracts with the likes of Microsoft, Facebook, Amazon and any number of other companies.
Is that what the minister is saying?
Hon. L. Beare: We’ve clearly outlined with the member that we are committed to keeping data and personal information safe — and how important it is to our government. We’ve outlined with the member how it’s the controls around data that keep it safe.
I think the member should know the ministerial order has given us access to large-scale cloud services. That’s proven to be invaluable in responding to COVID-19. Public cloud services have allowed us to scale up and down quickly for things like increased demand in services, such as providing vaccine passports and delivering new services like chatbots, to provide info for British Columbians.
We need that info to be there when people need it. Public cloud providers add new security features daily to their programs to ensure safety. We are committed, through strengthening privacy impact assessments — through all of the other things that we’re going to get to throughout this bill — to ensuring that we keep data and people’s information safe.
T. Stone: I have another question on clause 17, in case the Chair was wondering.
I hear the minister, and again, the minister has said many times that government is committed to protecting this data, keeping this data safe. Fair enough. Those are easy words. I think everyone in this chamber feels the same way.
The minister has said several times now, and she just said it again, that she has outlined what protections will be incorporated in the approach, going forward, and detailed in regulations, including the provisions within the privacy impact assessments. We’re going to have to just take her word for it, because she’s verbalizing that. There’s nothing in writing anywhere that any of us can see.
There’s nothing in the bill that provides any of the details that the minister has talked about. Certainly, there were no draft regulations made available. And the minister has said several times now that part of the explanation that she offers for continuing to say the hybrid services are going to be with us for a long time….
These cloud-based services, as she just said, allow for an ease of scaling up and scaling down services. I totally understand all of that. But I just don’t buy the assertion that this country we live in, Canada — that we don’t have this infrastructure in place today, these capabilities in place today, the expertise here today. And a heck of a lot of examples of big U.S. and international companies that have made these investments here in Canada under contract to subnational governments like British Columbia and the federal government….
I want to again try to understand the why here. Is cost a driving motivation here? Is the minister sponsoring legislation that ends data residency so that the B.C. government can save money on storing and accessing information outside of the country? Is that one of the reasons that we’re doing this, that we’re going to take the risks that I think are inherent in doing this? We’re going to do it because we’re going to save 20 percent or 25 percent?
Perhaps the minister could outline for this House if a cost-benefit analysis of some sort has been done that provides the financial costs and benefits of the current method of storing and accessing British Columbians’ information compared to moving some — not all but some — of that information out of the country and having it stored and accessed in foreign jurisdictions, such as the United States.
Hon. L. Beare: The needs are broader than the Canadian choices. I want to remind the member that we are operating like this safely for 20 months. Other jurisdictions have been operating safely like this for years. Our privacy impact assessments are being strengthened to assess what data is appropriate to be stored elsewhere.
I want to make it very clear to the member that this is about service to British Columbians. I have a great quote here from a company that procures education IT resources for school districts: “Focused Education Resources recognizes the learning environment is moving more online each year. These changes to the data residency requirement will increase access to learning resources and give educators more ability to customize learning in their classroom for students, while still protecting students’ and educators’ personal information.”
We saw the need for this type of change during the COVID pandemic. We saw the uptake in services across the province. So we’re going to continue to provide those services and fill that need for British Columbians.
T. Stone: My question was: has the minister done any financial analysis of this decision? Was a cost-benefit analysis done? Was there any analysis done that looked at the cost implications, positive or negative, of moving data outside of British Columbia and having that data stored and accessed on foreign servers in foreign countries, managed by foreign individuals?
Hon. L. Beare: As I’ve said to the member, this change is about providing service to British Columbians. We want to ensure that our legislation keeps pace with new technologies, enhances privacy protections and provides a level of service that people expect from our government.
When the pandemic hit, we realized it was urgent that people have access to online services, like Google Classroom, like the ability to Zoom with their doctor online. So we put in a temporary ministerial order to meet those needs. I think, Chair, that the member can agree with me that these services were essential, over the past 20 months, in allowing our families to continue accessing telehealth, to continue accessing education, to continue accessing services provided by government online. It has resulted in good outcomes for British Columbians.
I want to read a quote here from Vancouver Coastal Health:
“As an organization that values innovation in order to maintain the highest level of care to patients, Vancouver Coastal Health welcomes improvements made to data residency requirements within the Freedom of Information and Protection of Privacy Act. These changes not only provide more flexibility and opportunity to implement the best available technologies to improve health care services, but they also enable us to access the most robust technology solutions to secure sensitive health care data and protect patient privacy.”
I think it’s absolutely vital that we, as the House, recognize that providing that service to British Columbians, which they’ve come to expect during the COVID-19 pandemic, is essential to keep. Our government is doing that through this legislation.
T. Stone: These services that have been provided to British Columbians during the pandemic, largely cloud-based services and third-party tools — which, as the minister has noted, have been of assistance to British Columbians in getting through this pandemic — are not what I’m quibbling with. What I’m quibbling with is why these third-party applications and these services, by default, have to be stored and accessed on servers outside of Canada, thus pulling British Columbians’ information outside of the country as well.
That’s a choice. It’s a choice that can be influenced by a number of different factors — one of which I’ve been trying to get at with the last couple questions: the budget implications or financial implications.
Again, I’m not quibbling with the value of these third-party services. I’m not quibbling with the fact that cloud-based services and technology are evolving very rapidly and that they’re enabling significant enhancements in service delivery for our citizens. I just don’t buy into the argument that these services can only, forevermore, be accessed and utilized on servers in an infrastructure and technology outside of Canada and, therefore, beyond the purview of Canadian law and British Columbia law.
I’ll ask one final time. The minister hasn’t chosen to answer the question. Has a financial analysis been done on this? I want to know if there is a cost-benefit analysis or some financial analysis. I know it exists, and I hope I don’t have to FOI it. I want to know if a financial analysis was done on this decision point to take what’s supposed to be a temporary order, this ministerial order that has been extended — what? — three or four times…. Fair enough. Extend it again if you have to.
I want to know what financial analysis has been done on this decision and its implications. Will the minister disclose that information to me, and will she do so forthwith?
Hon. L. Beare: As I believe it may be our last question or so tonight, I really want to take a minute to recap with the member that the changes in data residency and the requirements to do that are the right thing to do.
We’ve listened to the public. We’ve listened to businesses and organizations, through extensive consultation over several years on FOIPPA. We’ve heard from organizations like universities, health authorities and tech companies, which have repeatedly told us that our data residency rules are outdated, that they’ve stopped us from being competitive and, most importantly, from being responsive to people’s needs. It is our role as government to listen to what’s going on in people’s lives and to adapt, which is why we have these changes proposed before us today in this legislation.
I outlined with the member that the needs we have in the province are broader than the Canadian choices. We’ve been operating like this safely, Member, for 20 months, and other jurisdictions have been operating safely like this for 20 years. We’ve talked, in this chamber tonight, about how the privacy impact assessments will be strengthened and how it will be important to assess what data is appropriate to be stored elsewhere.
We’ve talked as well with the member on how many of our trusted vendors need to use modern, commercial, off-the-shelf technology that’s not available within Canadian data centres. Currently this is impeding our ability to deliver digital services. We want to make sure that we’re continuing to provide services that people have come to expect during the COVID-19 pandemic, the services that they rely on — like we’ve outlined, be it Google Classroom, be it FaceTiming or Zooming with your doctor. These are essential services that people are now relying on, and we need to provide that.
We will make sure that we enable informed choices on what’s best to provide those services to support citizens here in British Columbia.
I want to end with a quote that I have from FreshWorks Studio: “For individuals and businesses across B.C., this opens up many possibilities for faster and more streamlined and accessible services while offering even greater protection of personal information. As a result, public bodies, and organizations like ours that work with them, will now have greater access to modern tools and robust cloud-based technology from reliable service providers like Amazon, Microsoft and Google.”
I believe it’s vital that we continue to provide the services that British Columbians have counted on during the pandemic and will continue to count on, moving forward.
With that, I ask that the committee rise, report progress and ask leave to sit again.
Motion approved.
The committee rose at 5:23 p.m.
The House resumed; Mr. Speaker in the chair.
The Committee of the Whole, having reported progress, was granted leave to sit again.
Hon. M. Farnworth moved adjournment of the House.
Motion approved.
Mr. Speaker: This House stands adjourned until 10 a.m. on Monday, November 15.
The House adjourned at 5:24 p.m.