Is Lawful Access Back? With comments on the govt's' disinformation-filled attempt to revive it

On November 19, senior government MPs on the “crime file” held an unexpected press conference that suggests the government is looking to pull lawful access back from the grave. This press conference was full of misinformation and half-truths about the current state of the law and the government’s proposals. 

You may recall that the government introduced Bill C-2, the Strong Borders Act as its very first substantive bill in Parliament following the recent election. It seemingly came out of the blue and its proposed changes to the law related to law enforcement and national security access to information were roundly condemned. As a result, the bill has languished and has not been referred to committee. 

In another strange move, the government tabled a new bill (Bill C-12) that essentially was the Strong Borders Act but without the lawful access parts, apparently so they can fast track the other parts of Bill C-2. The new Bill C-12 is currently being considered by the House of Commons Standing Committee  on Public Safety and National Security. 

Most of us assumed that was the end of lawful access. Apparently not. 

Earlier this week, Public Safety Minister Gary Anandasangree, Transport Minister Steve McKinnon, Secretary of State for Combatting Crime MP Ruby Sahota held a press conference defending “lawful access” and calling for the Conservatives to get onboard. If it hadn’t been for Michael Geist’s eagle-eyed attention to this topic, it might have been completely missed. The full press conference is on YouTube and I’ll link to it below.

The press conference was filled with misinformation about their own proposals and about the current state of the law.  There are some things that are defensible, but they just can’t get out of their own way. Having watched it a couple of times, it was like they really don’t know much about their own bill or how law enforcement currently operates.  

Everything said in the press conference seemed to relate to the provisions in Part 14 of Bill C-2, which are principally new demands and orders for customer information. I did not hear anything said that was a clear reference to Part 15 of Bill C-2, which would create a whole new law called the “Supporting Authorized Access to Information Act”.  And what’s also weird about that is the politicians there are associated with the Department of Public Safety, which we are told is the author of Part 15. Part 14 of Bill C-2 was written by and is the responsibility of the Department of Justice, which was absent from the press conference. 

The press conference was full of confused political puffery. And some statements were entirely incorrect and would leave any viewer misled. They accused others of engaging in dispensing misinformation, which is just rich.

They repeatedly said that the new tools for law enforcement have judicial oversight. Here is Secretary of State for Combatting Crime MP Ruby Sahota:

“They have also made it extremely clear that these tools are not warrantless surveillance. They are used with judicial authorization and clear legal thresholds, including modernized production and (...) preservation orders, clarified duties for surveillance providers, and access to basic subscriber information only on judicial order with strong safeguards.”

I assume instead of “surveillance providers”, she meant to say “service providers”. 

“Bill C2 gives police the tools they need with oversight Canadians expect.(...) Judicial authorization,(...) clear legal thresholds, strict limits on what can be accessed and when, and no warrantless surveillance full stop.(...)”

The WARRANTLESS information demand is just that. No warrant. No judicial authorization required. 

They said that we’re just talking about getting customer names and addresses, so no big deal. 

“We're trying to connect phone numbers to names and addresses, and then judicial authorization would have to get involved even further in order if that person was a suspect and we needed further information. So it's not about encrypted, you know, data or information. It is about connecting a name or an IP address to a phone-- to an-- I mean, an IP address or a number to a name and an address. That's all this is about.”

This also is incorrect and significantly misleading. Customer names and addresses from telcos are certainly “in scope”, but these provisions are not at all limited to telcos. This applies to anyone who “provides services to the public.” You know who also provides services to the public? Your doctor. It can be used with telcos, and it can be used with your doctor’s office. 

And it’s not limited to “customer names and addresses”. Creates a mandatory disclosure of “subscriber information” that is defined so broadly that it includes ALL “information that the subscriber or client provided to the person in order to receive the services”. Yes, that’s the medical history form you filled out when you first visited the clinic. It includes the types of services the clinic provided to you and information about any specialists you were referred to. The scope of this is breathtaking. It does require judicial authorization, but with the lowest burden of proof our legal system has. Something just more than a hunch. And the judge can’t say “hey, all you need is a name and address” so we’ll limit the order to that. Nope, the order is for all SUBSCRIBER INFORMATION. 

And there was also some horrific misinformation about the tools the police currently have to do their jobs.

“The regime we have today is unacceptable. So I'd like to share some examples so that I can bring the issue to light. I find that there's not been a lot of coverage on extortion, but you've definitely been hearing about it in the House. That's because many of our communities are suffering from these cases. And what's unacceptable right now is it taking six months for the police to be able to get judicial authorization, to be able to connect a phone number to someone who's extorting an individual in my riding, who has been out of their home because their home has been shot up and it's dangerous for their kids to live there. They can't go to school in a regular routine. They can't operate their business. And that's unacceptable. And I believe in Canada, our law enforcement should have the capabilities of being able to track down violent criminals such as these.”

I am sorry. If it is taking the police six months to get a warrant after a house has been shot up … the police simply are not doing their jobs and are not using the tools they currently have. A police officer in a squad car can pick up the phone and get a production order, if circumstances exist for dispensing with the formalities of a personal appearance before a justice of the peace. 

The Honourable Ruby Sahota is the MP for Brampton North Caledon in Ontario. The local police of her jurisdiction is the Peel Regional Police. I’ve seen many production orders obtained by officers in the Peel Regional Police. I really, really doubt that it takes six months of effort to get a production order. Most of them are issued within a very short period of time from the alleged offence. Just for illustration purposes to find something on the public record, I did a really quick search in a public legal database and found a case from Brampton that will illustrate the current process. The case is called R v Owen, 2017 ONCJ 729. 

The investigation began on March 23, 2015 of an unknown individual suspected of downloading images of child abuse. They had an IP address connected with the suspected crime, but didn’t know who it was connected to. They could determine the internet service provider. After some investigating, the Peel Police sent a preservation demand to the internet service provider, requiring the ISP to preserve the account information while they got a production order. On April 7, they applied for a production order to get the customer name and address from the internet service provider. The order was issued the next day. Less than a week later, on April 17, the internet service provider provided the information. Three days after that, on April 20, the police had a warrant to search the home. (I should note that the reason why the Owen decision goes into so much detail was that the production order and the search warrant were thrown out because the police misled the court in getting them.)

But setting that aside, that’s nowhere near six months. The laws in effect in 2015 are essentially the same laws we have now, that the government wants the police to be able to side-step. Suggesting it takes six months to get a production order is an outrageous statement from the “Secretary of State for Combatting Crime.” It’s so outrageous that I assume it’s an outright lie. 

Here’s what’s currently in the criminal code, which authorizes the cops to go to a judge and get an order for customer name and address – or any other information – if they have reasonable grounds to believe an offence has been committed and the addressee of the order has the data. What’s proposed in Bill C-2 is an order based solely on a hunch – reasonable grounds to suspect an offence has taken place. And the scope of the production is much broader. Fewer grounds and more information. 

Look, if the government thinks their proposal has merit and should proceed through parliament, they should be prepared to actually justify the new powers. And they should do it with facts and not political puffery or straight BS. 

I will assume – at least for now – that the Minister of Public Safety is being honest when he acknowledges that the current bill is flawed and is willing to listen to feedback to make it acceptable:

“Um, it is not a perfect piece of legislation. So, we are open to to uh to feedback from uh from our partners, from uh uh from civil liberties groups, from other uh entities that may have an interest um in this area. And we will work across party lines to make sure that we have consensus on on having a lawful access regime that is acceptable to Canadians.”

I’ll link below to my previous episodes where I discuss, in some depth, Part 14 and Part 15 of Bill C-2, in case you want the straight goods on what’s in the Bill. So far, nobody has accused me of making stuff up. 

My previous video on Part 14 of Bill C-2: https://youtu.be/wOgo4TuoJec

My previous video on Part 15 of Bill C-2: https://youtu.be/E1LV2fcD9Bs

Online reviews and privacy claims: Lessons from RateMDs v Bluler (BCCA)

 

Can a doctor claim a privacy violation because a website creates a profile for them using public information, hosts anonymous reviews, and ranks them against their peers?

The British Columbia Court of Appeal says no in RateMDs Inc. v. Bleuler, 2025 BCCA 329. Let’s walk through what happened — and what this means for privacy in Canada.

Let’s start with the background to this case.

RateMDs.com is a website where people can look up health professionals, read and post reviews, and compare ratings. You’ve probably seen it — you search for a physician, and you get their name, their contact information, their ratings, and often a long list of anonymous comments.

Dr. Ramona Bleuler, a BC physician, discovered that RateMDs had created a profile for her. She didn’t ask for it. She didn’t consent to it. And she couldn’t remove it.

The platform listed her name, her professional contact information, a list of reviews from anonymous users and a comparative ranking of doctors in her specialty and geographic region.

RateMDs also offers paid subscriptions that allow physicians to hide a limited number of reviews. Dr. Bleuler wanted to start a class action on her own behalf and on behalf of other physicians in Canada who had listings on RateMDs. 

Class actions – at least in Canada – have specific procedures, which require that the class action be certified before it can go ahead. There are a number of things the court must look at pursuant to the Class Proceedings Act, but the most important question for our analysis here is whether the pleadings disclose a cause of action. When you read the pleadings, and assume that the facts are true and provable, is there an actual legal claim there? This is a screening function to weed out any legal claims that are bound to fail, and the court is only supposed to examine the facts alleged in the statement of claim. 

This case principally turns on whether the legal claims made by the representative plaintiff are viable. 

So the plaintiff sued RateMDs and its parent company under the provincial Privacy Act. She said that by creating a profile for her, hosting reviews, and ranking her relative to her peers, RateMDs violated her privacy.

She wasn’t claiming that specific reviews contained private information. She wasn’t arguing defamation. Her claim was broader: she said the very act of aggregating, hosting, and ranking health professionals without their consent violated privacy law. In particular, the plaintiff was relying on the statutory privacy torts created by the legislatures of British Columbia, Saskatchewan, Manitoba and Newfoundland. The proposed class would be physicians who reside in those provinces. The plaintiff also tried to rely on Quebec’s privacy statute, but that part wasn’t allowed to proceed in the lower court. 

She relied on two sections of the British Columbia Privacy Act, and their equivalents in the other provinces.

First, section 1, which creates a tort — actionable without proof of damage — where a person ‘wilfully and without claim of right’ violates the privacy of another.

Violation of privacy actionable

1 (1) It is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of another.

Second, section 3(2), which prohibits the unauthorized use of someone’s name or portrait for the purpose of advertising or promoting the sale of goods or services.

Unauthorized use of name or portrait of another

3 (2) It is a tort, actionable without proof of damage, for a person to use the name or portrait of another for the purpose of advertising or promoting the sale of, or other trading in, property or services, unless that other, or a person entitled to consent on the other's behalf, consents to the use for that purpose.

Her argument was that RateMDs is a commercial enterprise. The profiles draw traffic, the reviews attract users, and the rankings keep people engaged. Because this commercial model depends on using doctors’ names and contact information, she said this amounted to both a privacy violation and commercial exploitation of identity.

The BC Supreme Court agreed the case should go forward. The judge certified the class action. I have to emphasize that this was only based on the pleadings and the court was essentially saying that the claims looked viable, but that didn’t mean the plaintiffs would win at any eventual trial. 

But RateMDs appealed. And at the Court of Appeal, everything changed.

The Court of Appeal approached the case by asking the basic but crucial question: Even assuming all the facts in the claim are true, is there a viable cause of action under the privacy statutes?

Again, this is a threshold question in class action certification. You don’t look at evidence. You look at the pleadings. You ask whether the claim has a reasonable chance of success.

A claim can be novel — that’s okay. But if it’s doomed to fail, the court must strike it.

Here’s the heart of the Court of Appeal’s reasoning:

At least for the purposes of a civil claim, privacy starts with identifying private information. And the claim failed at this starting point.

The Court of Appeal said:

●        A doctor’s name is not private.

●        Professional business contact information is not private.

●        Reviews written by patients about a doctor’s professional services are not private.

●        Rankings based on those reviews are not private.

The Court emphasized that privacy law protects reasonable expectations of privacy. And when someone is carrying out professional, public-facing work, the threshold for privacy protection is different.

The Court relied on earlier BC cases — including Niemela v. Malamas — which held that complaints about how a lawyer performs their work do not attract a reasonable expectation of privacy. Professional reputation is not the same thing as privacy.

The doctor tried to frame her privacy right as a right to control how information about her was used. But the Court said: control only exists if there’s a privacy interest in the underlying information. If the information is not private, there is nothing to control. Or at least privacy torts don’t leap in to give you that control. 

For privacy lawyers, this is an important clarification: The BC Privacy Act protects privacy, not reputation, and not personal preference about the use of publicly available professional information.

The Court concluded that because there was no reasonable expectation of privacy in the information posted on RateMDs, the privacy claim under section 1 was bound to fail.

The Court also noted an important distinction: This case wasn’t about whether any particular review contained sensitive information. The plaintiff expressly disclaimed that argument. She said the content didn’t matter — only the existence of the profile and the ranking system did.

The Court said that privacy law doesn’t work that way. You can’t claim a violation based on a website compiling publicly available information unless there’s some private content involved.

So the broad theory — that creating a profile and ranking professionals without their consent is itself a privacy violation — was rejected. There would have to be something more … and in this case, there was not.

The BC Supreme Court judge had relied in part on the rules governing how health professionals can advertise. For example, doctors can’t use testimonials. They can’t compare themselves to colleagues. The judge below thought this regulatory context created a privacy interest.

The Court of Appeal disagreed.

Those rules regulate doctors. They do not regulate third-party websites. They do not create privacy rights. And they do not convert publicly available information into private information. The Court of Appeal wrote at paragraph 98: “However, the interest of provincial regulators in restricting advertising by health professionals has no obvious connection to the respondent’s asserted privacy interest. The regulatory concern is to protect the public, not to protect the privacy of health professionals. That regulatory interest has nothing to do with the plaintiff’s reasonable expectation of privacy.”

So the regulatory framework could not be used to manufacture a privacy interest where none otherwise existed.

Next, the Court examined the claim under section 3(2) — unauthorized use of name or portrait for advertising.

This is the ‘misappropriation of personality’ tort. It typically covers: (a) using someone’s name or image in an ad, (b) using a person’s likeness to promote goods or services or (c) endorsements without consent.

RateMDs wasn’t using doctors’ identities to advertise or sell anything in the sense required by the statute. It was running a platform where reviews are posted and accessed. Running a commercial website that uses names in this manner doesn’t cut it. That’s not the kind of commercial exploitation section 3(2) is meant to capture.

So the Court of Appeal found that the claim under section 3(2) was also doomed to fail.

With both privacy causes of action rejected at the threshold stage, the Court of Appeal allowed the appeal, set aside the certification order and dismissed the action entirely. This was a complete win for RateMDs.

What are the broader implications?

First, the Court drew a clear boundary around privacy law: You can’t use privacy torts to challenge the existence of a professional review platform.

Second, the decision reinforces that privacy torts require a reasonable expectation of privacy in identifiable, specific information. That expectation must be grounded in: (a) the nature of the information, (b) the specific context, and (c) established privacy norms.

Third, platforms that rely on publicly available, professional information to generate profiles or rankings are, at least under BC’s statute and its equivalents, unlikely to face successful privacy claims — unless they publish actually private or sensitive data.

Fourth, the Court left open — deliberately — that if a review leaks confidential information or medical information, that could be a privacy violation. But that’s not what this case was about.

Finally, this is a reminder that privacy law is not a catch-all remedy for online reputational harm. Other legal avenues may exist such as defamation — but the privacy tort has a defined scope.

A last thing to note, which is important, is that this decision was made in the context of privacy torts – civil claims for invasion of privacy or use of image and likeness. Under our more general privacy statutes, such as the Personal Information Protection and Electronic Documents Act, whether information is “personal information” – and thus whether the statute applies to it – does not depend on whether the information is “private” or the “confidentiality” of the information.

A person’s name is subject to those laws, but may simply be less “sensitive”. Though a lot of the same principles may be in play, one should always be cautious about assuming that what a court says in the tort context will apply directly to our commercial privacy laws.

Nova Scotia's new Freedom of Information and Protection of Privacy Act (Bill 150)

In just the past month, kind of unexpectedly, the Nova Scotia government introduced and passed a new public sector privacy and access to information law that completely replaces the existing Freedom of Information and Protection of Privacy Act (known here as “FOIPOP") with a new law that will come into effect in April of 2027.

This isn’t completely out of the blue because the Nova Scotia government has been “reviewing” FOIPOP since 2022, but unlike in most provinces it has been “behind the scenes”. Unlike other provinces, which have public consultations, Nova Scotia’s consultation on transparency was behind closed doors.

I wrote to the then Minister of Justice seeking to participate on behalf of the Nova Scotia branch of the Canadian Bar Association’s Privacy And Access Law Section. The CBA was never invited to chat. I wonder who else commented. We were told that the results of this review would be made public, but they never were. All we got was Bill 150, dropped in the legislature on September 26 and passed on October 3. There was no real opportunity given for privacy and access to information experts to appear in committee with their comments. 

In this episode, I’m going to do a relatively high-level overview of what’s changing with the new FOIPOP that will come into effect in 2027. There’s some good, some bad and some changes that I’m indifferent to. I hope I can provide a relatively unbiased view of it, given that I do legal work for applicants who are seeking access to records, for public bodies who have to comply with the law and third parties whose records held by public bodies are sometimes the subject of access requests. 

There’s a big change to the purposes clause of the law. The original FOIPOP was relatively unique among access to information laws in Canada in that it clearly had as its intent full transparency, accountability and access – as fundamental to how democracy should work. 

The purpose clause in the current act includes:

2. The purpose of this Act is …

(b) to provide for the disclosure of all government information with necessary exemptions, that are limited and specific, in order to

(i) facilitate informed public participation in policy formulation,

(ii) ensure fairness in government decision-making,

(iii) permit the airing and reconciliation of divergent views;

That part is gone. Just removed. The leader of the opposition made a motion to have it returned, but the motion was defeated.

That’s too bad. The purpose clause is important in how regulators and courts approach the law, and future governments will be able to say it was removed for a reason and that should influence how it is interpreted. That’s a real step backward. 

As I said, the new Act fully repeals and replaces the earlier statute. It restructures the entire Act into clear Parts (e.g., Part I – Freedom of Information; Part II – Protection of Privacy; Part III – Reviews and Appeals; Part IV - Information and Privacy Commissioner), and has a number of standardized definitions for consistent terminology (like “access request,” “correction request,” etc.), and procedural timelines are now measured in business days rather than calendar days. This will draw out access requests. Previously, the public body had thirty days; now it’s thirty business days. That’s thirty five percent longer. Easier on the public body, to be sure, but it will mean it takes longer to get requested information from public bodies.

An important change in the new FOIPOP is that it will include municipalities. The Commissioner's jurisdiction is significantly expanded through the consolidation of provincial and municipal regulation. Specifically, the new Act repeals Part XX of the Municipal Government Act and integrates municipalities and municipal bodies into the general FOIPOP framework. Part XX of the MGA was generally a mirror of FOIPOP, but with some significant differences. Bringing municipalities into FOIPOP means the Commissioner now has explicit and uniform jurisdiction to conduct reviews and investigations involving municipal units. The Review Officer's previous roles in handling appeals related to access and correction requests are maintained, but the new Act formalizes two new categories of complaint investigation called Privacy Reviews. These reviews can be initiated by individuals who believe their personal information was collected, used, or disclosed in contravention of the Act, or proactively by the Commissioner if there are reasonable grounds to suspect a contravention.

One of the most important changes is that the former “review officer” is now the Information and Privacy Commissioner of Nova Scotia, and will be an officer of the Nova Scotia House of Assembly. While still appointed by the Governor-in-Council, this position is much more independent of government than under the present Act. A big miss, at least as far as critics are concerned, is that the Commissioner does not have the ability to issue binding orders on public bodies. That position still just issues recommendations, and it’s up to applicants to go to court to get orders.

The 2027 Act introduces or revises numerous definitions, including “Personal information” which now explicitly includes IP addresses, biometric data, and genetic characteristics, while excluding business contact information.

In the part of the Act related to the right of access to public body records, changes clarify that the right of access extends to records in custody or control of a public body, but not to duplicates or exact copies. It says that part of a record that can be withheld and can be reasonably severed, access must be provided to the remainder of the record.

Not surprisingly, the amendments made earlier this year related to frivolous, vexatious and unduly repetitive requests have been continued in the new FOIPOP. The Commissioner must approve a request from a public body to disregard a request, with defined criteria and 14-business-day timelines for both application and decision. It does provide applicants with a right to appeal to the Supreme Court of Nova Scotia if their request is disregarded.

Almost all the timelines in FOIPOP have been extended. All procedural periods are now in business days (such as giving a public body 30 business days to respond to an access request). It also introduces an  explicit suspension of time calculations while fees are being negotiated or reviews are underway (s. 20).

The government gets to set a standard application fee pursuant to the regulations, and also sets  service-based fees but exempts requests for one’s own personal information and provides 3 free hours of work time. Public bodies can charge additional fees if the request will take more than three hours. When presented with a fee estimate, applicants may narrow their requests accordingly. Once the request is being processed, a public body can provide a “revised fee estimate” that the applicant can either accept or revise their request. Fee estimates and revised fee estimates can be referred to the Commissioner. 

There remains a possibility for fee waivers where disclosure serves a public interest (e.g., environment, public health, or safety), or if the applicant can’t afford to pay the fee.

One thing that is interesting and progressive: The new FOIPOP specifically says that public bodies must provide electronic records in “an electronic form that is capable of re-use”. This is positive. If the record is an Excel spreadsheet, the spreadsheet itself should be provided and not just a photocopy of the spreadsheet. (There are few things as useless and opaque as a print-out of an excel spreadsheet full of formulas.)

There are a number of changes that will restrict public and journalistic access to records. The first is an expansion of the definition of “legal privilege” to specifically include settlement privilege. And at section 86(2), the Information and Privacy Commissioner will not be able to inspect a record that is alleged to be privileged to determine if it actually is privileged. Only the Court can do that, and the process to get there can be set out in the regulations.

The second major restriction on the right to know is essentially excluding any right of access to any record that is defined as an “Executive Council record”, going well beyond what was traditionally “cabinet confidences.” To make it worse, in section 32(2), a head of a public body is prohibited from disclosing Executive Council records. There’s no discretion. 

The new Act expands the privacy sections substantially and in a good way, but most of the details will have to wait until we get to see the regulations.

Every public body will have to have a privacy policy and has to publicly disclose its internal privacy-complaint process.

Once the Act comes into effect, every public body will have to carry out a privacy assessment for any new or substantially changed “project, program, system or other activity involving the collection, use or disclosure of personal information”. The details for what must be in a privacy assessment will be determined in regulations. 

The new Act defines “Data-linking” programs – where two or more data sets are combined, either temporarily or permanently, and requires them to be carried out only in accordance with the yet to be seen regulations. 

There are some tweaks to the rules that permit a public body to collect, use or disclose personal information. These public sector privacy laws are generally not based on consent so these rules set the guardrails for public bodies. There are new rules related to inter-agency data sharing, research, and public-interest exceptions.

There’s a new explicit authorization for disclosure to protect individuals from intimate-partner violence or human trafficking.

The new Act introduces obligations to contain, assess, and notify affected individuals and the Commissioner of privacy breaches that pose a real risk of significant harm — aligning Nova Scotia with federal PIPEDA and other provincial models.

There is a weird new provision in s. 79 that authorizes a public body to go to court if “personal information in the custody or under the control of a public body has  been stolen or has been collected by or disclosed to a third party other than as  authorized by this Act”. They can get an order to return or destroy the personal information, or any other order the court considers appropriate to protect the personal information. 

If you’ve been reading or watching my stuff, you may recall that in 2020, the Government of Nova Scotia went to court to try to identify people who may have read unredacted Workers Compensation Appeal Tribunal decisions that were mistakenly given to the Canadian Legal Information Institute, known as CanLII, and they were posted online. I was one of the people they identified, and I was contacted by the government as part of their damage control.  (Here's a video I did on that on my YouTube channel: https://youtu.be/XETVLvkksj0.)

There’s also an interesting, quirky new section that essentially says that a public body is deemed to have not “collected” personal information if it does not relate to a program or activity of the public body, and they either delete it, return it or transfer it to another public body or federal government institution if it’s relevant to the other public body or institution’s programs or activities. 

Individuals still have a right to access their own information, and public bodies have an obligation to retain any information that has been used to make a decision directly affecting an individual for at least one year so the individual can exercise their access right. And also in such circumstances, the public body has to make every reasonable effort to make sure the information is accurate and complete.

While the former Privacy Review Officer Act existed separately, the new Act integrates and strengthens the privacy review powers directly within the consolidated statute, giving the Commissioner an explicit mandate to conduct Privacy Reviews. This authority can be used to investigate complaints that personal information has been improperly collected, used, or disclosed, and allows the Commissioner to proactively initiate an investigation if they have reasonable grounds to believe a contravention has occurred.

Finally, on the privacy side, the new FOIPOP revokes and replaces the Personal Information International Disclosure Protection Act or PIIDPA. That law generally prohibits a public body from allowing personal information to be stored outside of Canada or to be accessed from outside of Canada, subject to some exceptions. Under the new FOIPOP, a public body will only be allowed to store or permit access from outside of Canada in accordance with specific regulations, which we haven’t seen yet.

While the new independent Information and Privacy Commissioner is not granted the ability to issue orders or levy penalties in connection with access, correction or privacy reviews, the Commissioner does have broad powers in connection with carrying out such a review. The Commissioner can summon witnesses and compel records (other than records that are claimed to be privileged). The Commissioner can initiate a privacy review without a complaint or request if the “Commissioner has reasonable grounds to believe that a person has contravened or is about to contravene this Part”.

The Commissioner also has an important role to play in requests that a public body thinks is trivial, frivolous, vexatious or abusive. The public body has to seek the approval of the Commissioner to disregard such requests, which is an important check to prevent the overuse of these new provisions.

Individual complainants, exercising access, correction and privacy rights, still have recourse to the Supreme Court of Nova Scotia. In most cases, that will be following a review by the Information and Privacy Commissioner, but individuals do have the right to skip the Commissioner and go straight to the Supreme Court of Nova Scotia. Once you’re in the Court, it is what’s called a “de novo” proceeding meaning that the Court will determine the matter from the very beginning. And the court can issue binding orders.

Finally, the new FOIPOP expands the number and kind of offences that can result in charges and prosecution: this includes (a) willfully collecting, using or disclosing personal information in contravention of the Act, (b) willfully attempting to gain access to personal information in violation of the Act, (c) obstructing the Commissioner and (d) destroys, alters or falsifies a record to evade a request for access to records. 

So this represents a significant change to the privacy and access to information landscape in Nova Scotia. It repeals the old Freedom of Information and Protection of Privacy Act, the Privacy Review Officer Act, the Personal Information International Disclosure Protection Act and Part XX of the Municipal Government Act, replacing all of them with a new Freedom of Information and Protection of Privacy Act. As I said, it comes into effect in April 2027. 

This has been a relatively high-level overview of the new Act. Each time I read it, I find something new. I would encourage folks in Nova Scotia who have an interest in access to information and privacy to review the legislation, and let the government know if it raises any concerns. Though the process to get here has been the opposite of transparent, there is an opportunity before April 2027 to amend it before it comes fully into effect.