My weekly Law Bytes column (Toronto Star version, homepage version) examines the growing controversy over the mandatory fingerprinting of students taking the LSAT. There has been swift reaction to the thumb-printing story, with the federal, British Columbia, and Alberta Privacy Commissioners joining forces in a combined privacy investigation. Moreover, the Canadian Council of Law Deans, which represents law schools across the country, has expressed concern over the practice, acknowledging that the data could be subject to a USA Patriot Act request. The Council raised questions about whether the practice might violate federal and provincial privacy statutes.
I argue that the story is much bigger than just the LSAT. First, the LSAT is not the only widely administered standardized test that collects biometric information such as thumbprints. The GMAT and MCAT, used for business and medical school admissions both collect thumbprints (the GRE, a graduate school test, snaps a digital photograph of the test taker instead). Together, more than 400,000 students worldwide take the LSAT, GMAT, and MCAT each year.
Second, while the standardized tests have garnered the lion share of attention, the schools have been reticent to admit that the full student records – including admission information, grades, papers, and other evaluations – could conceivably also be made subject to a USA Patriot Act request.
The U.S. courts have been willing to extend the reach of national law beyond their borders provided that the foreign entity maintains sufficient connections such that it meets a "personal jurisdiction" test. In the case of many Canadian universities, the combination of exchange study programs, fundraising initiatives, and student recruitment drives could meet the jurisdiction test. For Canadian students, this suggests that their data is already at risk – long after the LSAT, GMAT or MCAT has been forgotten.
If that were not problematic enough, in the bigger picture even more personal information could be the target of a USA Patriot Act request. Financial information, much of which is already transferred to the United States for processing, may be caught, as is health data, such as prescription records, that are held by private sector companies with U.S. connections.
The Federal Privacy Commissioner considered this issue last year as part of an investigation into complaints against a major bank' s practice of transferring its customer data to the United States. The Commissioner concluded that the bank had complied with Canadian privacy laws, while conceding that the current statute is ill-equipped to deal with this emerging concern.
In order to address the issue, Canada would need to establish a "blocking statute" which creates a specific legal obligation that prevents an organization from complying with both U.S. and foreign law. For example, Canada attempted to enact a blocking statute in response to the U.S. Helms-Burton law that established restrictions on conducting trade with Cuba. The current privacy statute does not rise to the level of a blocking statute, but the addition of new penalties for non-compliance could change that.
The concern over the LSAT may ultimately result in reforms to the test taking procedures. In the meantime, prospective Canadian law students are experiencing their first real law lesson months before setting foot in the classroom.