Last week, Bill 22 passed first reading in the British Columbia legislature. The bill purports to “strengthen access to information” (by introducing a fee for freedom of information requests) and “protect people’s privacy” (by weakening provisions such as data residency requirements which encourage the use of Canadian hosting).
The bill has support from leaders in industry and higher education:
“This is a positive development from government that B.C.’s tech industry welcomes,” said Jill Tipping, president and CEO, BC Tech Association. “The changes to B.C.’s data residency requirements will allow local companies to leverage cutting-edge technology to help B.C.’s public sector deliver the modern tools that citizens expect with the privacy protections they need.”
Jennifer Burns, associate vice-president, information technology and chief information officer, University of British Columbia, said: “UBC welcomes these proposed amendments. They will substantially increase the privacy and security of personal data with more robust and resilient services by allowing us to select the most secure and effective solutions. We appreciate the opportunity to collaborate with government on changes that will boost the competitiveness and efficiency of B.C. post-secondary institutions while helping protect our students, faculty and staff.”
Meanwhile, the bill has received surprisingly strong pushback from BC’s Information and Privacy Commissioner:
I agree that a new approach to data residency that more closely aligns our privacy laws with other Canadian jurisdictions and the EU’s GDPR is necessary. However, as you are aware, I am deeply concerned about how government proposes to do this. The proposed amendments remove the data residency requirement altogether, leaving any protections to regulations, about which we know nothing.
With respect, it is not enough for the government to say that guardrails will be put in place in regulations at a later date. As s. 33.1 currently reads, if the government chooses to not pass a regulation there will be no protections at all for personal information disclosed outside of Canada. Further, unlike the development of other regulations, such as those regarding data–linking (s. 76(2.1), government is not required to consult me—or anyone else—on the development of data residency regulations (s. 76.1).
That reference to an absence of consultation highlights a political backdrop to this bill that itself is troubling and odd.
There is a lot to this bill, and I will do my best to read and digest analysis as it emerges. For now, I want to highlight an admittedly self-interested element of this bill, relating to how BC’s post-secondary institutions manage their online infrastructure. While I welcome reforms that might simplify the often arcane processes around 3rd party internet applications in the sector, I anticipate some worrying consequences.
The current FIPPA law does not forbid the use of non-Canadian internet services. But it has been robust enough to promote local hosting, and a service such as BCNet’s incredibly valuable Educloud Server virtual data centre is largely justified as being “100% FIPPA compliant”. My fear is that the removal of data residency requirements (especially in the current form absent of any protections whatsoever) will hasten the ongoing move to “the cloud” we are seeing across the sector, a trend which has been accelerated by the Ministerial order that essentially suspended protections on an emergency basis during the COVID-19 pandemic.
Here in BC, FIPPA has been one of the few points of resistance to the march of big tech across the educational landscape. The past twenty months under the ministerial suspension order has felt like a case study of Naomi Klein’s Shock Doctrine. How else can we explain the the rush to adopt proctoring surveillance software, no matter the effects on students or the appalling behaviour of the vendors themselves? Or the rapid ubiquity of MS Teams, a creepy, CPU-melting, usability nightmare suddenly becoming the default virtual collaboration platform for BC institutions overnight, usually in the absence of any accessible privacy impact assessments? Brenna Clarke Gray asks: “As Microsoft is increasingly a cradle-to-grave software company, whose tools we use at every stage of our lives, how long will a students’ data follow them? Does the profile Microsoft builds, based on all of those Habits, follow the student to grad school, or into the workforce?” And beyond?
I’m not going to expend a lot of words here on why big tech is at least as harmful to the well-being of education as it is to society at large. There are countless thoughtful critiques and well-documented exposés, and it seems like every day brings another realization that should be stopping us in our tracks (like this, today). In educational circles, most of the ethically-oriented objections to the tech industry tend to focus on surveillance capitalism and its horrible effects. And for good reason. But reading the press release for this new privacy bill, I was fixated on that self-interest I mentioned earlier, the likely impacts on how digital technology is regulated and provisioned.
Call me a digital protectionist, but I fear the ongoing flight to the wonders of the cloud, and the uncritical submission to the seductive promises of big tech. These corporations and the hellish culture they’ve spawned embody the worst elements of predatory global capitalism. They are an environmental disaster, particularly with their ongoing “innovations” of AI and the blockchain. Their own labour practices are nightmarish, and their notions of data-driven efficiency relentlessly accelerate the exploitation of precarious workers. Their financial moves celebrate every excess of speculation and resulting income inequality. Human rights considerations go out the window if there’s an autocratic market to be tapped. Their preferred modes of social interaction promote extremism, polarization, hateful abuse and misinformation.
The last twenty years of the internet have demonstrated the vast and unchecked power that comes with owning and controlling the platforms, the ability to structure and profit from every interaction. It seems unbelievably short-sighted for the education sector to relinquish the dwindling amount of agency it still possesses… whether it be institutions unilaterally dismantling their capacity through outsourcing, or individual educators outsourcing themselves to publishers’ “homework systems” that explicitly seek to automate and replace the human teacher. For the most part, the academic elements of the typical university or college are sadly disengaged with the ethical and practical implications of their digital practices. And it shows.
A privacy law in one Canadian jurisdiction isn’t going to buck these likely inexorable forces. But I wish that scholars and educators might engage in critical examination of their practice, in careful consideration of effects, as one small space for something like resistance. Even if doomed, as an attempt to construct something human.
I’m the interests of not feeding the Twittering machine I’ll leave a comment here. You’re right to doom-monger. The absence of proper protections and “we’ll do it later” just sounds plain lazy and incompetent and the rest of it worries me that someone, somewhere needs to sign a very big contract in a hurry.
However, we can take some cheer that glorious de-regulation never results in anything really bad. Can’t think of a single example.
I hadn’t even considered the possibility of a big contract on the launchpad. Sounds all too plausible. Now I have something else to brood on… thank you?
Oh, you’re welcome! I have to wonder why entities like Unis are backing this if it doesn’t give them some benefits. If we know logically that data won’t be safer in systems where there’s no transparency or accountability then what else is in it for folks? Maybe the thinking is that this opens up more choice and we don’t need law to enforce this because we can take care of it in contracts with vendors?
Did the promise of future regulations come in the form of a giant novelty poster signed by the premier? Asking for a friend that has a premier that does that kind of bullshit and then ignores whatever nonsense PR statement they made and does whatever was originally planned anyway.
You do know that our Attorney General apparently leans libertarian Brian yes? In any event I’d love to host a convo if you’d be game.
I had not heard that specifically (beyond the BCCLA angle), but there does seem to be more criticism directed that way. In any event, would love to talk about this and/or catch-up soon Martha!
We need our politicians to develop an actual, strong aversion to any US-based tech corporations. They need to recognise how much sovereignty is lost (and countries *pay eyewatering sums* to give it away) to the people of their countries by foisting these autocratic corporations upon them.
I do wish considerations of sustainability, resilience, and autonomy would factor into these decisions.
And yes, IT as a means of transferring public wealth to private interests in a thing, and especially problematic in ed tech.
Reading your excellent post (thanks for doing the detailed reading that I didn’t have time for last fall) made me sad that there wasn’t more kick-back from edtech leaders beforehand. Unfortunately your title seems to be what we all did. Obviously not enough of administrators and edtech leaders read Audrey Watters or have looked closely at the mess the US school system is in because they allowed edtech-for-profit (huge profits) to dazzle them & expose even their youngest learners to a constant bombardment of marketing messages and data mining.