The controversial Patriot Act in the U.S. continues to loom over its northern neighbour as the potential risks of cross-border data transfer threaten to undermine Canadian privacy.
Enacted shortly after the Sept. 11 terrorist attacks in 2001, the Patriot Act sought to expand the surveillance powers and local and foreign intelligence gathering of U.S. law enforcement agencies, in a bid to step up counter-terrorism initiatives.
Recent news reports from the U.S., however, have revealed incidents of misuse or abuse by the Federal Bureau of Investigation (FBI) in gathering intelligence information under the Patriot Act. Privacy watchdogs south of the border, such as the Electronic Frontier Foundation, have been lobbying for better oversight on the enforcement of the Patriot Act.
While the reported violations seemed to be confined in the U.S. and its residents, Canadian privacy advocates are beginning to raise a red flag on the possible implications of the anti-terrorism legislation to Canadian companies and residents.
Among the many controversial provisions of the Patriot Act, one in particular presents a potential threat to Canadian privacy.
Section 215 of the Patriot Act allows the U.S. FBI to issue national security letters to compel third-party organizations, such as ISPs, financial institutions or telecom firms, to secretly disclose customer information, said Jason Young, an associate at Toronto-based technology law firm Deeth Williams Wall LLP.
“If a Canadian company is a subsidiary of a U.S. parent, there was speculation that the FBI could serve the U.S. parent company with a national security letter that says, ‘Give us records in your custody or your control.’”
The phrase “records in your custody or control” could mean, not only data that the U.S. headquarters directly handles, but also information held at its subsidiary locations in other countries, such as Canada, said Young.
In addition, the same section of the Patriot Act also includes a gag order, prohibiting companies from revealing to any party that they have been served with a national security letter.
“There would be no way for any of the Canadian consumers or even the Canadian subsidiary to know that the reason the parent company was requesting that information was because they have been served with a national security letter from the FBI,” said Young.
Canadian governing bodies have already taken steps to mitigate the risks of cross-border data transfers to the U.S. as a result of the provision.
In 2004, British Columbia has passed amendments to its privacy legislation prohibiting B.C. companies that collect information on behalf of any B.C. government bodies from disclosing or transferring that information to other jurisdictions where it may be subject to lawful disclosures.
Nova Scotia has enacted similar legislation, while the federal Treasury Board has issued guidelines to federal government agencies that outsource the management and/or storage of sensitive information. The guidelines restrict outsourcing to companies that might be subject to foreign intelligence warrants, Young said.
Notwithstanding the U.S. Patriot Act, however, personal information are already being subject to cross-border transfers particularly with the increasing use of the Internet for commercial transactions and for international collaboration among law enforcement bodies, according to security expert Mary Kirwan, founder and CEO of Headfry Inc.
“We may be a bit unrealistic in imagining that we can somehow just keep all the data at home, just the nature of the Web is that data is going to flow across border,” Kirwan said.
While concerns around the Patriot Act are well-founded, especially when dealing with financial institutions and healthcare providers, Kirwan stressed multinational subsidiaries are also mandated to comply with local laws, which provide citizens a mechanism for protection.
Canada, for one, has a strong expectation of privacy as evidenced by the existence of federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), said Kirwan.
Kirwan also stressed it’s important for Canadian companies to make their privacy policies as transparent as possible so that “there are no ugly surprises for the customer.”
“There are consequences if you are served with a subpoena for the data — as an exception to PIPEDA — but make it clear in your privacy policy and to people reading it that there are circumstances where data might be released and some of them include situations that are set out in PIPEDA, such as national security concern or court order,” explained Kirwan.
It’s a tougher issue, however, for Canadian companies that are dealing or have relations with a U.S. organization, Kirwan said, but stressed that in those situations companies should try and ensure that the privacy of the data is at least comparable to Canada. “I think that would be a reasonable expectation (from customers).”
Young agreed with Kirwan, adding that Canadian companies are getting around the Patriot Act implications by being more transparent to the customer.