|Jul. 26, 2004. 01:00 AM|
|U.S. laws put Canadian privacy at risk|
LAW BYTESMICHAEL GEIST
Although it has garnered only limited attention in the rest of the country, for the past few months the British Columbia privacy and information technology communities have been embroiled in a high-stakes issue that raises difficult questions about the effectiveness of Canadian privacy law and the potential threat posed by data outsourcing to the United States. The issue first arose earlier this year when the B.C. government announced its intention to find a private sector partner to manage the operation of its medical services plan. Soon afterward, the B.C. Government and Services Employees' Union (BGSEU) launched a campaign opposing the contracting out to U.S. corporations. The union cited concerns that Canadian data could be disclosed to U.S. law enforcement agencies acting under the powers granted by the U.S. Patriot Act, which was enacted in response to the events of 9/11.The BGSEU filed a petition in court to block the outsourcing, arguing that transferring personal data out of the province to the U.S. would violate provincial privacy law. Even though the government agreed to place the outsourcing on hold, the issue continues to attract growing interest. A coalition of privacy groups has launched a campaign calling for a ban on such outsourcings. At the same time the B.C. Privacy Commissioner began public hearings seeking advice from privacy experts and interested parties from across Canada.Milana Homsi, a recent law graduate from the University of Ottawa who also studied at George Washington University Law School in Washington, D.C., and I recently responded to the commissioner's call for comment by releasing a study on the associated privacy issues and an assessment of applicable U.S. law (a full copy of the study can be found online at http://www.michaelgeist.ca).Our results suggest that the problem is actually far worse than is generally acknowledged. A review of both Canadian and U.S. law leaves little doubt that U.S. law does grant law enforcement authorities the power to compel disclosure of personal information without notifying the targeted individual that their information is indeed being disclosed (in fact, disclosing the disclosure is itself a violation of the law). The troubling truth, however, is that this is not strictly a Patriot Act issue. Rather, there are several U.S. investigatory powers that grant similar authority. These include grand jury subpoenas and national security letters, both of which predate the Patriot Act. Moreover, the application of these laws is not limited to U.S. companies but actually applies to any company with sufficient U.S. connections such that it could find itself subject to the jurisdiction of the U.S. courts. Several cases, including one involving the Bank of Nova Scotia, have found that the U.S. courts are entitled to apply U.S. criminal law, even in the face of a conflicting obligation under the foreign law. This is true both for U.S. companies operating subsidiaries in foreign countries as well as for foreign companies with U.S. subsidiaries.The one notable exception to this practice occurs where the foreign company is subject to a "blocking statute" in its native land. A blocking statute is viewed as a specific legal obligation that precludes an organization from complying with both U.S. and foreign law. For example, Canada attempted to enact a blocking statute in response to the U.S. Helms-Burton law that established restrictions on doing trade with Cuba, though the law did little to persuade U.S. courts that they should refrain from applying U.S. law.Since Canada's privacy law is unlikely to meet the blocking statute standard, it seems likely that U.S. law enforcement authorities may indeed compel the disclosure of Canadian data. In fact, this analysis suggests that the data doesn't actually have to leave Canada in order for U.S. authorities to successfully compel disclosure. As long as the data is controlled by an entity such as a major bank or multinational Internet service provider with U.S. ties, U.S. courts may apply their national law and force the disclosure of the Canadian personal information.While these facts alone are disturbing, the problem is exacerbated by the response of Canadian privacy law. First, it is unclear whether disclosures compelled by U.S. law would actually constitute a violation of the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's national privacy legislation. While the law requires user consent where personal information is disclosed to a third party, the statute contains several exceptions to this general rule.Of particular importance in this context, is an exception for disclosures under warrant or court order. The law does not specify whether the warrant or court order must come from a Canadian court, leading to the possibility that an order under the Patriot Act, a grand jury subpoena, or a national security letter would also qualify.Alternatively, the statute contains a further exception, established at the Canadian Security Intelligence Service's urging, for disclosures to government institutions or affiliates of government institutions where the disclosure is requested for the purpose of enforcing any Canadian or foreign law. While the law again does not specify whether this exception is limited to requests from the Canadian government, it is possible that the law could be extended to foreign governments. Even if limited to Canadian governmental institutions, however, it suggests that U.S. authorities could turn to their Canadian counterparts for help in order to fit within the exception.Based on this analysis, our report makes several recommendations. First, with PIPEDA slated for a legislative review next year, lawmakers should consider clarifying the jurisdictional reach of the statute so that there is a better understanding of the full impact of its exceptions.Second, for PIPEDA to serve as a blocking statute under U.S. law, changes must be made to create stronger enforcement mechanisms as well as to establish serious penalties for violation of the law. Without such reforms, it would appear that U.S. courts would uphold U.S. requests for information disclosure and discount any conflicting Canadian privacy obligation.Third, if Canadian data is to be requested by U.S. law enforcement, Canada should seek a formal or informal agreement with agencies such as the FBI on procedures relating to access to Canadian records. Such an agreement might provide Canadians with an additional layer of protection against inappropriate disclosures.Fourth, the privacy community should acknowledge that the current call for a ban on governmental outsourcing of personal information to the U.S. does not fully protect Canadian personal information. While such a ban would admittedly provide greater security for a small set of data, it does little to address the larger issue of the application of U.S. law to Canadian entities and the potential for disclosures that run counter to the spirit if not the letter of Canadian law.The B.C. outsourcing case has forced the Canadian privacy and outsourcing communities to come clean on one of Canada's unwanted privacy secrets. Simply put, the risk of secret disclosure of personal information to U.S. authorities by both U.S. organizations and Canadian organizations with U.S. ties is a real one and there appears to be very little we can do about it.
Michael Geist is the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa. He is on-line at http://www.michaelgeist.ca. The opinions expressed herein are personal and do not necessarily reflect those of the University of Ottawa.
Pay less than $3 per week for 7 day home delivery.