[IP] The privacy threat to data outsourcing
Begin forwarded message:
From: Michael Geist <mgeist@xxxxxxxxx>
Date: July 26, 2004 4:57:47 AM PDT
To: dave@xxxxxxxxxx
Subject: The privacy threat to data outsourcing
Dave,
Of possible interest to IP --today I am releasing a report that I
co-authored with Milana Homsi examining the effect of U.S. law,
particularly the Patriot Act, on Canadian privacy law. The report comes
in response to concerns in British Columbia over a proposed government
outsourcing of health data. The report concludes that several U.S.
statutory provisions provide U.S. courts with the power to order secret
disclosures from both U.S. companies with foreign subsidiaries and
foreign companies with U.S. subsidiaries and that current Canadian
privacy law can do little to stop such disclosures.
It seems to me the issue is far bigger than just a BC government
outsourcing contract. Assuming this analysis is correct, I would
expect many countries worldwide with strong privacy law frameworks to
begin questioning the ramifications of transferring data to any
companies with U.S. connections. The report highlights the fact that
this doesn't target U.S. companies alone -- anyone with a U.S.
subsidiary or other means to fall into U.S. personal jurisdiction is
potentially affected. The potential conflict between the long arm of
U.S. law and privacy legislation is likely to grab increasing attention
in the months ahead.
A column on the report, reproduced below, can be found at
<http://geistprivacypatriotact.notlong.com/>.
The report itself is online at
<http://patriotactbcprivacy.notlong.com/>.
Best,
MG
U.S. laws put Canadian privacy at risk
LAW BYTES
MICHAEL GEIST
Although it has garnered only limited attention in the rest of the
country, for the past few months the British Columbia privacy and
information technology communities have been embroiled in a high-stakes
issue that raises difficult questions about the effectiveness of
Canadian privacy law and the potential threat posed by data outsourcing
to the United States.
The issue first arose earlier this year when the B.C. government
announced its intention to find a private sector partner to manage the
operation of its medical services plan.
Soon afterward, the B.C. Government and Services Employees' Union
(BGSEU) launched a campaign opposing the contracting out to U.S.
corporations. The union cited concerns that Canadian data could be
disclosed to U.S. law enforcement agencies acting under the powers
granted by the U.S. Patriot Act, which was enacted in response to the
events of 9/11.
The BGSEU filed a petition in court to block the outsourcing, arguing
that transferring personal data out of the province to the U.S. would
violate provincial privacy law. Even though the government agreed to
place the outsourcing on hold, the issue continues to attract growing
interest.
A coalition of privacy groups has launched a campaign calling for a
ban on such outsourcings. At the same time the B.C. Privacy
Commissioner began public hearings seeking advice from privacy experts
and interested parties from across Canada.
Milana Homsi, a recent law graduate from the University of Ottawa who
also studied at George Washington University Law School in Washington,
D.C., and I recently responded to the commissioner's call for comment
by releasing a study on the associated privacy issues and an assessment
of applicable U.S. law (a full copy of the study can be found online at
http://www.michaelgeist.ca).
Our results suggest that the problem is actually far worse than is
generally acknowledged. A review of both Canadian and U.S. law leaves
little doubt that U.S. law does grant law enforcement authorities the
power to compel disclosure of personal information without notifying
the targeted individual that their information is indeed being
disclosed (in fact, disclosing the disclosure is itself a violation of
the law).
The troubling truth, however, is that this is not strictly a Patriot
Act issue. Rather, there are several U.S. investigatory powers that
grant similar authority. These include grand jury subpoenas and
national security letters, both of which predate the Patriot Act.
Moreover, the application of these laws is not limited to U.S.
companies but actually applies to any company with sufficient U.S.
connections such that it could find itself subject to the jurisdiction
of the U.S. courts. Several cases, including one involving the Bank of
Nova Scotia, have found that the U.S. courts are entitled to apply U.S.
criminal law, even in the face of a conflicting obligation under the
foreign law. This is true both for U.S. companies operating
subsidiaries in foreign countries as well as for foreign companies with
U.S. subsidiaries.
The one notable exception to this practice occurs where the foreign
company is subject to a "blocking statute" in its native land. A
blocking statute is viewed as a specific legal obligation that
precludes an organization from complying with both U.S. and foreign
law. For example, Canada attempted to enact a blocking statute in
response to the U.S. Helms-Burton law that established restrictions on
doing trade with Cuba, though the law did little to persuade U.S.
courts that they should refrain from applying U.S. law.
Since Canada's privacy law is unlikely to meet the blocking statute
standard, it seems likely that U.S. law enforcement authorities may
indeed compel the disclosure of Canadian data. In fact, this analysis
suggests that the data doesn't actually have to leave Canada in order
for U.S. authorities to successfully compel disclosure. As long as the
data is controlled by an entity such as a major bank or multinational
Internet service provider with U.S. ties, U.S. courts may apply their
national law and force the disclosure of the Canadian personal
information.
While these facts alone are disturbing, the problem is exacerbated by
the response of Canadian privacy law. First, it is unclear whether
disclosures compelled by U.S. law would actually constitute a violation
of the Personal Information Protection and Electronic Documents Act
(PIPEDA), Canada's national privacy legislation. While the law requires
user consent where personal information is disclosed to a third party,
the statute contains several exceptions to this general rule.
Of particular importance in this context, is an exception for
disclosures under warrant or court order. The law does not specify
whether the warrant or court order must come from a Canadian court,
leading to the possibility that an order under the Patriot Act, a grand
jury subpoena, or a national security letter would also qualify.
Alternatively, the statute contains a further exception, established
at the Canadian Security Intelligence Service's urging, for disclosures
to government institutions or affiliates of government institutions
where the disclosure is requested for the purpose of enforcing any
Canadian or foreign law.
While the law again does not specify whether this exception is
limited to requests from the Canadian government, it is possible that
the law could be extended to foreign governments. Even if limited to
Canadian governmental institutions, however, it suggests that U.S.
authorities could turn to their Canadian counterparts for help in order
to fit within the exception.
Based on this analysis, our report makes several recommendations.
First, with PIPEDA slated for a legislative review next year, lawmakers
should consider clarifying the jurisdictional reach of the statute so
that there is a better understanding of the full impact of its
exceptions.
Second, for PIPEDA to serve as a blocking statute under U.S. law,
changes must be made to create stronger enforcement mechanisms as well
as to establish serious penalties for violation of the law. Without
such reforms, it would appear that U.S. courts would uphold U.S.
requests for information disclosure and discount any conflicting
Canadian privacy obligation.
Third, if Canadian data is to be requested by U.S. law enforcement,
Canada should seek a formal or informal agreement with agencies such as
the FBI on procedures relating to access to Canadian records. Such an
agreement might provide Canadians with an additional layer of
protection against inappropriate disclosures.
Fourth, the privacy community should acknowledge that the current call
for a ban on governmental outsourcing of personal information to the
U.S. does not fully protect Canadian personal information. While such a
ban would admittedly provide greater security for a small set of data,
it does little to address the larger issue of the application of U.S.
law to Canadian entities and the potential for disclosures that run
counter to the spirit if not the letter of Canadian law.
The B.C. outsourcing case has forced the Canadian privacy and
outsourcing communities to come clean on one of Canada's unwanted
privacy secrets. Simply put, the risk of secret disclosure of personal
information to U.S. authorities by both U.S. organizations and Canadian
organizations with U.S. ties is a real one and there appears to be very
little we can do about it.
--
**********************************************************************
Professor Michael A. Geist
Canada Research Chair in Internet and E-commerce Law
University of Ottawa Law School, Common Law Section
Technology Counsel, Osler, Hoskin & Harcourt LLP
57 Louis Pasteur St., Ottawa, Ontario, K1N 6N5
Tel: 613-562-5800, x3319 Fax: 613-562-5124
mgeist@xxxxxxxxx http://www.michaelgeist.ca
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/