The USA Patriot Act,1 which significantly expanded the power of US authorities to obtain personal information records located in the US, has recently raised concerns in Canadian legal circles about the extraterritorial reach of orders requiring the disclosure by US parent corporations of personal information records held by their Canadian subsidiaries.
Two sections of the Patriot Act raise particular concerns about the privacy of personal information outsourced by Canadian public bodies to US-linked service providers.
Section 215 of the Patriot Act amended the Foreign Intelligence Surveillance Act of 1978 (FISA) to allow the FBI to apply to the FIS Court2 for an ex parte order requiring a person to produce “any tangible things”. Previously, FISA mandated that law enforcement prove “specific and articulable facts” giving reason to believe that the target of the search was “a foreign power or an agent of a foreign power”. Now, all that need be shown is that the records are sought for an authorized investigation to protect against international terrorism or clandestine intelligence activities. In addition, section 215 expands both the range of documents whose production may be compelled and the kind of organizations covered. It also prohibits the recipient from disclosing to any other person that the FBI has sought or obtained any tangible thing.3 Section 215 is being attacked on constitutional grounds before a US District Court and it features a sunset clause that will cause it to expire on December 31, 2005.
Section 515 increased the FBI's authority to issue "national security letters" to compel financial institutions, telephone companies or internet service providers to secretly disclose customer information. This authority has been further expanded to include records held by travel agencies, real estate agents, the US Postal Service, jewellery stores, casinos, and car dealerships.5 However, a US District Court recently declared section 515 to be an unconstitutional violation of First and Fourth Amendment rights.6
Concerns about the effect of these amendments on Canadian personal information have been voiced both federally and in British Columbia.
British Columbia's Information and Privacy Commissioner, David Loukidelis, recently released a report7 on the implications of the Patriot Act for the outsourcing of services by public bodies in British Columbia. Commissioner Loukidelis examined whether the FIS Court may order a US corporation to produce personal information records held in Canada by its subsidiary in the face of a Canadian law prohibiting such disclosure.
Administration of personal information in the BC public sector is governed by the Freedom of Information and Protection of Privacy Act (FOIPPA),8 which requires that public bodies make “reasonable security arrangements” against the risk of “unauthorized” disclosure of personal information under their control9 (including information they have outsourced to a service provider).
In his report Commissioner Loukidelis held that disclosure of personal information in response to a FISA order would constitute "unauthorized disclosure”. He held further that the “reasonableness” of security arrangements must take into account contextual factors, including the nature of the information involved and the consequences of its unauthorized disclosure. One organization asserted in its submission that only a ban on outsourcing sensitive personal information could prevent such unauthorized disclosures. The Commissioner dismissed this assertion as disproportionate, ineffective, and impractical, arguing instead that measures should be implemented at the legislative, contractual and practical levels to mitigate the risks of such unauthorized disclosures.
In particular, the Commissioner made 16 recommendations and announced that his Office would report publicly on the progress of their implementation before October 2005. The BC Legislature passed Bill 7310 less than two weeks before the release of the report. This Bill amends FOIPPA in light of the Patriot Act and reflects some of the Commissioner's recommendations: public bodies must ensure that personal information under their control is stored only in Canada (except with the consent of the individual concerned); public bodies and their service providers must report foreign demands for disclosure to the relevant Minister11 and public bodies and their service providers are forbidden from disclosing personal information under the control of a public body except as authorized under FOIPPA.
Commissioner Loukedelis's report was in part a response to the public debate triggered by the filing of a suit by the BC Government and Service Employees' Union (BCGEU) aimed at preventing the outsourcing by the BC government to a US-linked service provider of the administration of the public health insurance program. The decision of the British Columbia Supreme Court was handed down on March 23, 2005.12 While he dismissed the BCGEU petition on grounds of fatal defects that are not relevant to the present subject, Justice Melvin concluded that the contractual disclosure to a private service provider of information required to ensure payment of accounts rendered by medical health care professionals did not constitute a breach of sections 7 or 8 of the Canadian Charter of Rights and Freedoms. What is protected are “reasonable expectations of privacy”. The contractual provisions, the specific corporate structure of the service provider, and the provisions of the amended FOIPPA (which were implemented between the filing of the suit and the release of the Court's decision) provide “more than reasonable security” with respect to records held in BC. For example, under the outsourcing contract, the shares of the BC-incorporated service provider are to be held in trust by a trust company operating in BC. In the event of an actual or prospective breach by the service provider, the trust company must deliver the shares to the BC Government, which will assume ownership. Other important safeguards noted by Mr. Justice Melvin include a $35 million penalty in case of a breach of confidentiality by the service provider, whistleblowing requirements and protection, training of employees in respect of their confidentiality duties, restrictions on the use of electronic devices by employees, and ownership of all information by the BC Government. BCGEU has announced that it is appealing the decision.
Despite the amendments to FOIPPA, some of the recommendations made by Commissioner Loukidelis remain unimplemented. For example, he recommended that the BC government, in conjunction with the federal government, seek assurances from relevant US authorities that they will not seek FISA orders for accessing personal information records in British Columbia.
It is also disturbing to note that the amendments to FOIPPA place US firms and their Canadian subsidiaries in a legally untenable situation. If a US firm, served with a FISA order for the disclosure of personal information records held by its Canadian subsidiary, complies with the order, its Canadian subsidiary may contravene FOIPPA prohibitions. However, failing to comply with the order constitutes an offence under American law.
At the federal level, the Treasury Board of Canada Secretariat (TBS) has requested federal public bodies to produce a comprehensive assessment of their outsourcing activities to mitigate possible risks related to the Patriot Act.13 The TBS provided examples of “best practices” as part of this assessment, including retaining information, especially health information, within Canadian government facilities. It is also drafting personal information protection clauses to be used in future contracts.
It is likely that contractual and statutory changes reflecting Commissioner Loukidelis's findings relating to the security of personal information outsourced by Canadian public bodies to US-linked service providers will be implemented in other provinces. Moreover, governments may decide to adopt the Commissioner's Recommendation 13 and address the implications of the Patriot Act for the security of personal information under private sector control in Canada. At the end of the day, however, as with national security challenges, the real solution to protecting personal information may depend upon developing international norms through consensus-building rather than through protective domestic legislation.