Article by Andrea Freund, ©2005 Blake, Cassels & Graydon LLP
This article was originally published in Blakes Bulletin on Privacy - February 2005
Much attention has been focussed recently in Canada on the privacy issues arising out of the use of service providers for data processing services where the data is either stored in the U.S. by a U.S. organization or is stored in Canada by a Canadian organization where such organization has a U.S. affiliate (in each case, a U.S. linked service provider). This issue was highlighted with the release, on October 29, 2004, of the report of the Information & Privacy Commissioner for British Columbia entitled "Privacy and the USA Patriot Act" (the B.C. Report), which draws attention to the potential risks of using U.S. linked service providers to provide data processing or storage services. Furthermore, recent amendments to the British Columbia Freedom of Information and Protection of Privacy Act (FOIPPA) (which amendments came into force on receiving Royal Assent on October 21, 2004) were implemented at least in part to address concerns with outsourcing public body data processing activities to U.S. linked service providers.
The B.C. Report considers the implications of transfers of personal information for processing, particularly in light of the USA Patriot Act which, among other things, amended the U.S. Foreign Intelligence Surveillance Act (FISA) to permit U.S. authorities to obtain records and other "tangible things" as a way of protecting against international terrorism and clandestine intelligence activities. The USA Patriot Act also expanded the circumstances under which the FBI can issue national security letters in the U.S. to compel financial institutions, phone companies and Internet service providers to secretly disclose information about their customers. The B.C. Report underscores the concern that the Foreign Intelligence Surveillance Court could, under FISA (as amended by the USA Patriot Act), order a U.S.-located corporation to produce records held in Canada that are under the U.S. corporation’s control. The B.C. Report indicates that some U.S. courts have found that, under U.S. law, control of records exists whenever there is a U.S. parent-Canadian subsidiary corporate relationship, regardless of the contractual or practical arrangements between the customer providing the data and the service provider or its U.S. parent; although the B.C. Report goes on to say that other U.S. cases suggest that contractual or practical arrangements may influence a U.S. court’s findings regarding control. The report concludes that there is a reasonable possibility of unauthorized disclosure of British Columbians’ personal information pursuant to an extraterritorial U.S. order or national security letter.
The B.C. Report underscores two possible privacy problems facing Canadian organizations in respect of their compliance with Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA). The first potential problem arises in connection with the transfer of personal information for processing by a Canadian organization to a U.S. linked service provider; the second stems from the possible disclosure of such information by the U.S. linked service provider pursuant to a U.S. court order. Similar issues may also apply to transfers of information for processing to organi-zations in jurisdictions other than the U.S., but given the recent attention to the USA Patriot Act and its implications on privacy rights, this article focuses in particular on the provision of personal information to organizations located in, or connected to, the U.S.
Transfer of Personal Information by Organization to U.S. Linked Service Provider
Section 4.1.3 of Schedule 1 to PIPEDA provides that "[a]n organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing" and that it "shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party." It is questionable whether, in light of the fact that disclosure of personal information could be required under U.S. law, it is possible for an organization transferring information to a U.S. linked service provider, to provide a comparable level of protection, regardless of whether it requires the receiving organization, in a contract or otherwise, to do so. It could be argued that a risk of a U.S. linked service provider being ordered to disclose the information to U.S. authorities is not a risk that is unique to U.S. linked service providers since information held by organizations in Canada may also be subject to orders for disclosure to Canadian or foreign authorities (for example, pursuant to the Canadian Securities Intelligence Service Act or tax and other treaties). The risk of possible ordered disclosure in the U.S., therefore, would not seem to render a U.S. linked service provider less capable than an organization in Canada of providing comparable protection since risks of ordered disclosure exist in respect of organizations in Canada as well. It is essential, though, that steps be taken, such as the entering into of a data protection agreement with the service provider, to ensure that the service provider implements measures to protect the security of the personal information.
Consideration should also be given to informing the individuals whose information is being transferred about the risks of disclosure of the personal information by the U.S. linked service provider and whether obtaining the individual’s consent to such transfer in that case is reasonable, or whether it could offend Section 4.3.3 of Schedule 1 of PIPEDA. Such section provides that "[a]n organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes." The analysis of what is required to fulfil the purposes will depend on the particular facts and circumstances.
Disclosure of Personal Information by a U.S. Linked Service Provider Pursuant to a U.S. Court Order
The exceptions in PIPEDA permitting disclosure without consent refer broadly to laws and orders without expressly stipulating whether the references include foreign laws and orders or are to be restricted to domestic laws and orders.
Disclosure without consent is permitted in specified circumstances, including where disclosure is: required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records (section 7(3)(c)); made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law (section 7(3)(c.1)(ii)); and required by law (section 7(3)(i)).
Although PIPEDA does not expressly require that the court, person or body with jurisdiction, the government institution or the law, as referred to in the sections of PIPEDA mentioned above, need be Canadian, a court could conceivably narrowly interpret the legislation. It is interesting in that regard that the B.C. Privacy Commissioner concluded in the B.C. Report that disclosure of personal information in response to a foreign law or order is "unauthorized" for the purpose of Section 30 of FOIPPA, which section places an obligation on a public body to make reasonable security arrangements against such risks as unauthorized disclosure, because "a foreign law does not apply in British Columbia".
Also, the federal Privacy Commissioner, in her submission to the Office of the Information and Privacy Commissioner for British Columbia, expressed her view that any order made by a foreign government or court would have no legal force against a company, based only in Canada, that maintains personal information only in Canada. She did, however, state that organizations operating in a foreign country that hold personal information about Canadians in that country must comply with the laws of that country such that if they are presented with an order requiring them to disclose personal information, they must surrender that information. Of note, the Alberta private sector privacy legislation also has an exception permitting disclosure without consent where the disclosure is pursuant to statute or regulation that authorizes or requires the disclosure but such exception is restricted to statutes or regulations of Alberta or Canada.
PIPEDA is scheduled for legislative review in 2006. Given the concerns about cross-border exchanges of information, it is hoped that amendments to PIPEDA that specifically address these concerns will be introduced in conjunction with, or following, such review. In the meantime, though, organizations will continue to grapple with how best to structure outsourcing or other arrangements involving the transfers or disclosures of personal information outside of Canada.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.