During President Trump’s first week as president he signed an executive order that effectively removed protections extended to non-US citizens and non-permanent residents under the US Privacy Act.
This will have an impact on the privacy of all non-US persons,1 both in the US and around the world, including Canadians. This is because Canadian and US agencies often cooperate and share information, the vast majority of Canadian Internet traffic is routed through the US, and personal information is often stored and accessible on servers in the US.
The US Privacy Act
The US Privacy Act of 1974 controls the collection, maintenance, use, and dissemination of personally identifiable information in records held by US federal agencies and that relate to US citizens and legal permanent residents.
Although the legislation does not expressly protect personally identifiable information of non-US persons, the internal privacy policies of several federal agencies extended application of the Privacy Act to non US persons. For example, the departments of Homeland Security, Justice, and State had internal privacy policies that applied some provisions of the Privacy Act to non-US persons in circumstances where US and non-US person data was comingled.
The executive order
President Trump’s Executive Order No. 13768 titled “Enhancing Public Safety in the Interior of the United States” includes a section that will repeal these privacy policies, thereby removing privacy rights that had been extended to non-US persons:
Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.2
Although this section was part of a broader executive order containing controversial provisions relating to enforcement of immigration priorities, the consequences of this section should not be underestimated or ignored.
Related sections in the executive order encourage data sharing between federal agencies using “all lawful means to ensure the faithful execution of the immigration laws of the United States against all removable aliens.” This policy will be facilitated by the executive order’s removal of Privacy Act protections to non-US persons.
The limited protections of the Privacy Act that were afforded to non-US persons have been stripped, and the exact consequences are still unknown.
However, because the executive order encourages US federal agencies to share more information about non-US persons there may be an increase in the number of individuals being denied entry into the US. Often there is no way for a Canadian to know what personal information a Canadian agency has shared with a US agency.
For example, in 2014, the Ontario information and privacy commissioner discovered that the mental-health information of some Canadians was accessible to the FBI and US Customs and Border Protection, the sharing of which resulted in a Canadian citizen being denied entry to the US.3
Since the executive orders relating to immigration were signed, there have been reports that some Canadians have had their Nexus trusted-traveller cards removed and/or denied. This raises further concerns with the sharing of information, including biometric screening such as fingerprint and iris scans that are required to obtain a Nexus card, between Canadian and US agencies.
Because unencrypted Canadian Internet traffic often flows through the US, Canadian citizens do not even have to be physically located in the US to be affected by these as-yet-unknown changes.
It is unknown whether the Office of the Privacy Commissioner of Canada will investigate the potential ramifications on Canadians and Canadian agencies that share data with US federal agencies.
Another unknown is whether the executive order will affect the recently adopted US-EU Privacy Shield framework, which would allow some US companies to comply with privacy laws protecting EU citizens.
In the meantime, it is important for Canadian individuals and businesses to consider what impact this executive order could have on them, including any potential reputational risks.
1 We note that protections of the US Privacy Act are extended to citizens of European Union countries under the Judicial Redress Act of 2015, by way of a designation made by the US Attorney General that came into effect on February 1, 2017.
2 Enhancing Public Safety in the Interior of the United States, Exec. Order No. 13768, 82 Fed. Reg. 8799 (Jan. 30, 2017), https://www.gpo.gov/fdsys/pkg/FR-2017-01-30/pdf/2017-02102.pdf.
3 Ann Cavoukian, Ontario information and privacy commissioner, Crossing the Line: The Indiscriminate Disclosure of Attempted Suicide Information to U.S. Border Officials via CPIC, online at: https://www.ipc.on.ca/wp-content/uploads/Resources/indiscriminate_disclosure.pdf.