Tag: privacy reform

Notes on Nova Scotia’s FOIPOP Reform Bill

On Friday, the Nova Scotia legislature introduced Bill 150, a new statute that consolidates the province’s public sector access and privacy laws and introduces key modernization reforms. Below are some quick highlights from the bill.

Class-based exemption for security control information. I just posted last week about withholding information that could jeopardize network security. Nova Scotia’s proposed legislation includes a novel class-based exemption that permits a head to withhold “information the disclosure of which could reasonably be expected to reveal, or lead to the revealing of, measures put in place to protect the security of information stored in electronic form.” Having previously negotiated with regulators to exclude control-related details from investigation reports, I view this language as both protective and positive.

New privacy impact assessment requirement. Under Bill 150, public bodies will be required to conduct a privacy impact assessment (PIA) before initiating any “project, program, system, or other activity” that involves the collection, use, or disclosure of personal information. The PIA must also be updated if there is a substantial change to the activity. A key question is whether the term “other activity” is broad enough to include non-routine or minimal data collections—which public bodies may prefer not to assess.

Power to collect for threat assessment purposes. This touches on an issue I’ve followed for years: behavioral threat assessment and the conduct of so-called “threat inquiries.” Conducting a threat inquiry in response to concerning behavior to properly assess a human threat is a best practice that arose out of 2004 United States school shooting report. However, their legality has been questioned when conducted by institutions without a law enforcement mandate. Nova Scotia’s proposed legislation includes a new authorization to collect personal information—either directly or indirectly—for the purpose of reducing the risk that an individual will be the victim of intimate partner violence or human trafficking. This is a positive step, but it raises a key question: What about other forms of physical violence? The statute’s narrow focus may leave gaps in protection where threat assessments could be equally justified.

New offshoring rules. The new statute, if passed, will repeal the Personal Information International Disclosure Protection Act (PIIDPA)- Nova Scotia’s statute that prohibits public bodies and municipalities from storing, accessing, or disclosing personal information outside of Canada unless an exception applies. It will replace it with a new provision, however, that could be used to continue a similar prohibition. The new provision prohibits disclosing and storing personal information outside of Canada (as well as permitting personal information to be accessed from outside of Canada) unless in accordance with regulations. It does not contemplate regulation of service providers and their employees, which is a feature of PIIDPA.

New breach notification. The new statute, if passed, will include privacy breach notification and reporting, triggered when “it is reasonable to believe that an affected individual could experience significant harm as a result of the privacy breach.” This is equivalent to the “real risk of significant harm standard” in my view.

Supreme Court power to remedy breaches. The new statute, if passed, will give the Nova Scotia Supreme Court the power to issue orders when “personal information has been stolen or has been collected by or disclosed to a third party other than as authorized by this Act.” British Columbia has a more elaborate version of such a provision, which can help public bodies respond to breaches given ongoing legal uncertainty around the status of personal information as property.

Hat tip to David Fraser.

Three (literal) highlights from the IPC Ontario submission

If Ontario follows through with its commitment to enact privacy legislation, the IPC/Ontario will break from her current constraints to become a privacy regulator with global relevance. We ought to listen carefully to what she is saying about reform and build a strong sense as to how she is inclined.

On October 16th, Commissioner Kosseim filed her submission to the province. It is detailed, thoughtful and strikingly moderate. It has no talk of the concept of “fundamental human rights” that has drawn the attention of the federal commissioner. Rather, the Commissioner says that balancing privacy rights with legitimate business needs is a “virtue.”

Read the submission yourself, but here are the three parts of it that I highlighted in my own read.

First, the Commissioner says we need to reframe the role of consent and develop more principled exceptions, but consent should still be at the top of the hierarchy of the bases for processing:

Some might propose that the solution lies in a GDPR-like architecture by adopting multiple grounds for lawful processing of data, whereby consent is only one such ground on the same and equal footing as other alternative bases. However, we believe that non-governmental organizations should first be required to consider whether they can obtain meaningful consent and stand ready – if asked – to demonstrate why they cannot or should not do so before turning to permissible exceptions for processing. This approach would be more in keeping with Ontario values that promote individual autonomy and respect consumer choice. Whenever it is reasonable, appropriate, and practicable for people to decide for themselves, they should be given the opportunity to do so.

Second, the Commissioner is clearly interested in AI and its implications and clearly sees value in fostering data-driven innovation, though does not propose any solutions, calling the handling of data-driven innovation “the most challenging piece to get right in any new private sector privacy law.” Here’s my highlight on this issue:

While Purpose Specification, Consent, and Collection Limitation continue to be relevant principles, a more modern private sector privacy law would need to reconsider the weight ascribed to them relative to other principles in certain circumstances. For example, in an era of artificial intelligence and advanced data analytics, organizations must rely on enormous volumes of data, which runs directly counter to collection limitation. Data are obtained, observed, inferred, and/or created from many sources other than the individual, rendering individual consent less practicable than it once was. The very object of these advanced data processes is to discover the unknown, identify patterns and derive insights that cannot be anticipated, let alone described at the outset, making highly detailed purpose specification virtually impossible.

Finally, nobody should underestimate the significance of the potential for Ontario employers to become regulated in respect of their employees. On this issue, the Commissioner’s position is clear:

Individuals should have the ability to perform their jobs with the confidence that their employer will keep them safe, while also respecting their privacy rights. Accordingly, we recommend that any private sector privacy law in Ontario should apply to all employee personal information to fill this glaring gap in privacy protection.

IPC Comments on the Ontario Government’s Discussion Paper, IPC/Ontario, 16 October 2020.