Article by Wendy Gross and Michelle Kisluk*
Published in CA Magazine, September 2005.
Those who handle individuals’ personal information, including financial details, in the course of business are required to treat that information in accordance with Canada’s privacy laws. This includes getting an individual’s consent as to where and to whom this information is disclosed. If it is stored with, processed at or otherwise shared with a US or US-controlled Canadian company, there is a risk the US-linked company could be compelled to disclose that information to US authorities without the individual’s knowledge or consent. While the risk of access by US authorities has always been present, the introduction of US anti-terrorism legislation has raised concerns about the increasing ease and secrecy of access and its interaction with Canada’s privacy laws.
The US Patriot Act was introduced in the wake of the events of September 11, 2001 as a means of increasing the government’s ability to intercept and obstruct terrorist communications and activities. To this end, the act facilitates, among other things, the ability of US authorities to conduct searches and to seize or compel the disclosure of records. The implications of the act on Canadian businesses and the security of Canadians’ personal information,
while still somewhat unknown, are highly relevant to any business that handles Canadians’ personal information and shares or transfers that information to US-linked entities.
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) requires organizations engaged in commercial activities to obtain individuals’ consent to the collection, use or disclosure of their personal information. In Alberta, BC and Quebec, provincial private sector privacy legislation has been deemed substantially similar and applies within the province in place of PIPEDA. Disclosure of personal information to a third party without the individual’s consent constitutes a breach of these laws, except in specified circumstances.
When personal information held by an organization is transferred to a third party for processing, the organization’s responsibility for that information continues and it must provide protection while the information is in the hands of that third party. This obligation is met by, for example, including provisions in outsourcing contracts that limit the third party’s use or disclosure of the information.
BC’s information and privacy commissioner undertook extensive consultations resulting in a report on the Patriot Act’s implications on the BC government’s decision to outsource to a US-linked firm certain healthcare provision functions for members of its public servants’ union. The BC commissioner found that the Patriot Act could possibly be used to compel disclosure of information outsourced to a US-linked company, in breach of the BC government’s obligations under the provincial public sector privacy legislation.
Although the situation in BC emerged in relation to public sector privacy legislation, Patriot Act powers could be applied equally to information transferred by Canadian private sector entities to US-linked organizations, risking the security of that data and a possible breach of Canadian private sector privacy legislation.
Prior to the passage of the Patriot Act, Canadians’ personal information in the custody or control (interpreted by a US court as "the legal right, authority or practical ability to obtain the materials sought upon demand") of US-linked organizations could be accessed by US authorities through national security letters, grand jury subpoenas or governmental channels. The Patriot Act, it was suggested by the Canadian Internet Policy and Public Interest Clinic, simply "broadened the scope and lowered the standard for the issuance of such orders."
The Patriot Act amended the Foreign Intelligence Surveillance Act (FISA) to permit the FBI to seek orders from the secret FISA court requiring the production of "tangible things" (defined to include books, records, papers, documents and other things) relevant to "an investigation to protect against international terrorism or clandestine intelligence activities." The Patriot Act also lowered the standard for a FISA order: from foreign-intelligence gathering being "the purpose" of the search or surveillance to its being "a significant purpose." These changes, among others, have raised concern that the Patriot Act will allow "the US government to engage in large-scale fishing expeditions."
As a result of the secrecy in which the FISA court operates, little information is available on how these provisions have been used. Furthering the secrecy of FISA orders is the prohibition on an organization of disclosing that it has received or disclosed information under a FISA order. This means the US-linked company receiving the order may not tell the organization or relevant individuals that gave it information that information was requested by or disclosed to US authorities.
Once Canadians’ personal information is transferred to the US, it is subject to US law, including the Patriot Act. Whether the Patriot Act could be used to compel a US parent to disclose records held by a Canadian subsidiary remains a matter of debate. The BC Commissioner Report found that it is a "reasonable possibility" the FISA court would order production of documents that are within the custody or control of a US company, such as a US parent with access to records held by a Canadian subsidiary. If a US-linked company makes a disclosure to US authorities without the consent of the Canadian individuals named, this may result in the Canadian organization that transferred the information breaching Canadian privacy legislation unless the disclosure meets an exception in the applicable Canadian privacy legislation.
PIPEDA permits disclosure without consent in some circumstances, including:
- when an organization is required to comply with a court order to compel the production of information;
- when the disclosure is to a government institution in response to a request for information related to national security or international affairs; or
- for the purpose of enforcing a law of Canada or of a foreign jurisdiction.
PIPEDA does not expressly limit these exceptions to Canadian court orders or government institutions. In a submission to BC’s information and privacy commissioner, Michael Geist and Milana Homsi argued if these exceptions permit disclosure to foreign authorities without consent, Patriot Act orders wouldn’t violate PIPEDA. If, however, PIPEDA exceptions don’t apply to requests from foreign government authorities, compliance with such orders would violate PIPEDA. Unfortunately, adding to the uncertainty around the Patriot Act, application of these exceptions to foreign orders or institutions hasn’t yet been clarified by PIPEDA or the privacy commissioner.
The need for clarity on the interaction between PIPEDA and the Patriot Act becomes apparent in the many instances that could arise in the course of business. For example, personal client information held by the Canadian office of an international accounting firm on a shared database and accessible to colleagues in its US-linked company may constitute custody by the US-linked company and could lead to it being ordered to produce that information to US authorities.
In provinces where privacy legislation applies to employees of an organization, or in certain federal operations in which PIPEDA applies to employee information, including banks and telecommunication companies, issues may arise with respect to employees’ personal information being put in the hands of US authorities without employees’ knowledge or consent. For example, an in-house accountant who outsources the company’s payroll or benefits processing to a US-linked firm is, arguably, making employees’ personal information accessible to US authorities. This may constitute a breach of the applicable privacy legislation by the employer organization.
A practical implication of the Patriot Act may be that individuals will choose to deal with businesses that do not share information with US-linked affiliates or service providers. With media attention and increasing awareness of the Patriot Act, as well as its inherently political nature, clients may be scared off — even if in practice the result is not that different than before the Patriot Act.
Even if disclosure is permitted by PIPEDA, other statutes may block compliance with a FISA order. The Business Records Protection Act (Ontario) was enacted in response to "aggressively extra-territorial, ‘long arm’ " US legislation. The act prohibits removing business records from, or taking or sending them out of, Ontario, except in specific circumstances, including where such transfer "is provided for by or under any law of Ontario or of the Parliament of Canada."
Whether the act could effectively block a US order to disclose records to the US government is uncertain. It has been suggested that "US courts have not granted the statute high deference due in part to its lax enforcement." A further complication is that to argue that the disclosure is blocked by the act, the Ontario company holding the records would have to disclose the existence of the FISA order, breaching the Patriot Act and risking resulting penalties.
The secretive nature of the Patriot Act complicates measuring the effectiveness of steps taken to keep data held by US-linked companies out of the reach of US authorities. Measures may nonetheless be taken to enhance the protection of the data and minimize the Canadian organization’s exposure under Canadian privacy legislation.
According to the Office of the Privacy Commissioner of Canada, a company in Canada that outsources information processing to the US, where it will be subject to US laws, should notify its customers that the information may be made available to the US government or its agencies under a lawful order made in that country. Such notification would give individuals the option of refusing to provide personal information if they object to risking its access by US authorities. This approach may result in clients’ refusing to do business with the organization. On the other hand, such an approach could become a logistical nightmare for the organization if clients permit the organization to provide them with services, but refuse to allow certain pieces of their personal information to be disclosed to US-linked companies. The organization would then be required to keep track of the specific pieces of personal information that must be treated in a special manner.
Other approaches are found in the Master Services Agreement between the BC government and its service provider. The terms of the agreement were noted with approval by the BC Superior Court in dismissing the BC public servants union’s at-tempt to have that agreement quashed. It is unknown, however, whether these measures will in fact insulate the data from the reach of the Patriot Act and US authorities. These provisions include a trust structure under which the province would obtain the shares of the BC subsidiary providing the outsourcing services in case of a risk of disclosure. Other measures include restrictions on the use and control of electronic equipment and devices by employees, a fine upon breach of confidentiality, employee training and the requirement that all data remain the property of the province.
Until the US government releases more information about the uses it might make of its Patriot Act powers, it will be difficult to determine how worried Canadian businesses should be and what should be done to protect the personal information of Canadians in the hands of US-linked companies. In the meantime, by ensuring that clients are aware of when and how their information may be at risk of access by US authorities, and by exploring other means of contractually protecting the data, Canadian CAs and their firms can protect themselves to some degree from breaches of Canadian privacy legislation.
The information and analysis were accurate at press time. In July, the House of Representatives voted to extend the Patriot Act.
*Wendy Gross is a partner in the Technology Law Group in the Toronto office of McCarthy Tétrault. Michelle Kisluk is an associate in the Technology Law Group in the Toronto office of McCarthy Tétrault.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.