On June 10, 2022, the Centre for Information Policy Leadership at Hunton Andrews Kurth published a white paper entitled “Local Law Assessments and Online Services – Refining the Approach to Beneficial and Privacy-Protective Cross-Border Data Flows A: Case Study from British Columbia.” The paper discusses recent developments in British Columbia that demonstrated a recognition by law- and policy-makers of the importance of cross-border data flows to an efficient and effective public sector.

Specifically, the British Columbian public-sector privacy law, the Freedom of Information and Protection of Privacy Act, was recently amended to remove data localization requirements and significant limits on data transfers. This, however, was followed by guidance from the Office of the Information and Privacy Commissioner that appeared to require public bodies to conduct local law assessments (or transfer risk assessments) when using cloud services that involve processing or storage of personal data outside of Canada.

The paper argues that to avoid the potential pitfalls of local law assessments and to safeguard the legislative goal of enabling public bodies to use modern digital tools that rely on cross-border data flows, any local law assessment requirement should be clarified to enable its risk-based application. A risk-based approach to local law assessments avoids any categorical prohibition of transfers whenever some risk is found that cannot be completely eliminated through appropriate security and privacy controls, but would also enable consideration of other factors, such as the benefits of the transfer as compared to the risks. In addition, the risk-based approach would recognize that full-blown local law assessments may not be required in all circumstances, such as where the transferred data are historically of little interest to foreign governments. A risk-based approach to transfer requirements would enable public-sector entities to reap the benefits of innovative cloud-based technologies, while also encouraging them to adopt strong privacy and security practices that will protect personal data wherever it goes.