How information-sharing with U.S.-linked companies may breach Canada's lawsIntroduction
Those who handle individuals’ personal information, including financial details, in the course of business are required to treat that information in accordance with Canada’s privacy laws. This includes obtaining each individual’s consent to the purposes for which, and persons to whom, this information is disclosed. If this information is transferred for storage or processing, or otherwise shared with a U.S. or U.S.-controlled Canadian company (collectively, a “U.S.-linked” company), there is a risk that the U.S.-linked company could be compelled to disclose that information to
The USA PATRIOT ACT was introduced in the wake of the events of September 11, 2001 as a means of increasing the U.S. government’s ability to intercept and obstruct terrorist communications and activities. To this end, the Patriot Act facilitates, among other things, the ability of U.S. authorities to conduct searches and to seize or compel the disclosure of records. The implications of the Patriot Act on Canadian businesses and the security of Canadians’ personal information, while still somewhat unknown, are highly relevant to any business that handles Canadians’ personal information and shares or transfers that information to U.S.-linked entities.The Private Sector Privacy Landscape in Canada
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) requires organizations engaged in commercial activities to obtain individuals’ consent to the collection, use or disclosure of their personal information. In Alberta, British Columbia and Quebec, provincial private sector privacy legislation has been deemed substantially similar to PIPEDA, and applies within the province in its place. Disclosure of personal information to a third party without the individual’s consent constitutes a breach of these laws, except in specified circumstances.
When personal information held by an organization is transferred to a third party for processing, the organization’s responsibility for that information continues, and it must provide protection while the information is in the hands of that third party. This obligation is met by, for example, including provisions in outsourcing contracts that limit the third party’s use or disclosure of the information.
The Information and Privacy Commissioner of British Columbia (the B.C. Commissioner) undertook extensive consultations resulting in a report on the Patriot Act’s implications on the B.C. government’s decision to outsource to a U.S.-linked firm certain healthcare provision functions for members of its public servants’ union. The B.C. Commissioner found that the Patriot Act could possibly be used to compel disclosure of information outsourced to a U.S.-linked company, in breach of the B.C. government’s obligations under the provincial public sector privacy legislation. Although the situation in British Columbia arose in relation to public sector privacy legislation, Patriot Act powers could be applied equally to information transferred by Canadian private sector entities to U.S.-linked organizations, risking the security of that data and a possible breach of Canadian private sector privacy legislation.The Patriot Act
Prior to the passage of the Patriot Act, Canadians’ personal information in the custody or control of U.S.-linked organizations could be accessed by U.S. authorities by other means, such as national security letters or grand jury subpoenas, or through governmental channels. The Patriot Act, it has been suggested, simply “broadened the scope and lowered the standard for the issuance of such orders.”
The Patriot Act amended the Foreign Intelligence Surveillance Act (FISA) to permit the FBI to seek orders from the secret FISA Court requiring the production of “tangible things” relevant to “an investigation to protect against international terrorism or clandestine intelligence activities.” The Patriot Act also lowered the standard for a FISA order: from foreign-intelligence gathering being “the purpose” of the search or surveillance to its being “a significant purpose.” These changes, among others, have raised concern that the Patriot Act will allow “the U.S. government to engage in large-scale fishing expeditions.”
As a result of the secrecy in which the FISA Court operates, little information is available on how these provisions have been used. Furthering the secrecy of FISA orders is the prohibition on an organization from disclosing that it has received or disclosed information under a FISA order. This means that the U.S.-linked company receiving the order may not tell the organization or relevant individuals that gave it the information that the information was requested by or disclosed to U.S. authorities.Interaction Between the Patriot Act and Canada’s Privacy Laws
Once Canadians’ personal information is transferred to the United States, it is subject to U.S. law, including the Patriot Act. Whether the Patriot Act could be used to compel a U.S. parent to disclose records held by a Canadian subsidiary remains a matter of debate. The B.C. Commissioner Report found that it is a “reasonable possibility” that the FISA Court would order production of documents that are within the custody or control of a U.S. company, such as a U.S. parent with access to records held by a Canadian subsidiary. If a U.S.-linked company makes a disclosure to U.S. authorities without the consent of the Canadian individuals named, this could result in the Canadian organization that transferred the information breaching Canadian privacy legislation unless the disclosure meets an exception in the applicable Canadian privacy legislation.
PIPEDA permits disclosure without consent in certain circumstances, including (i) when an organization is required to comply with a court order to compel the production of information; (ii) when the disclosure is to a government institution in response to a request for information related to national security or international affairs; or (iii) for the purpose of enforcing a law of Canada or of a foreign jurisdiction. PIPEDA does not expressly limit these exceptions to Canadian court orders or governmental institutions. If these exceptions do permit disclosure to foreign authorities without consent, Patriot Act orders would not violate PIPEDA. If, however, the PIPEDA exceptions do not apply to requests from foreign governmental authorities, compliance with such orders would violate PIPEDA. Unfortunately, adding to the uncertainty surrounding the Patriot Act, the application of these exceptions to foreign orders or institutions has not yet been clarified by either PIPEDA or the Privacy Commissioner.
The need for clarity on the interaction between PIPEDA and the Patriot Act becomes apparent in the many instances that could arise in the course of business. For example, personal client information held by the Canadian office of an international accounting firm on a shared database, and accessible to colleagues in its U.S.-linked company, may constitute custody by the U.S.-linked company and could lead to it being ordered to produce that information to U.S. authorities.
In provinces where privacy legislation applies to employees of an organization, or in certain federal operations in which PIPEDA applies to employee information, including banks and telecommunication companies, issues may arise with respect to employees’ personal information being put in the hands of U.S. authorities without employees’ knowledge or consent. For example, an in-house accountant who outsources the company’s payroll or benefits processing to a U.S.-linked firm is, arguably, making employees’ personal information accessible to U.S. authorities. This may constitute a breach of the applicable privacy legislation by the employer organization.
A practical implication of the Patriot Act may be that individuals will choose to deal with businesses that do not share their information with U.S.-linked affiliates or service providers. With heightened media attention given to the reach of the Patriot Act, and therefore increasing awareness of the Act, as well as its inherently political nature, clients may be scared off by the hype—even if in practice the result is not that different than before the Patriot Act.The Business Records Protection Act
Even if the disclosure is permitted by PIPEDA, other statutes may block compliance with a FISA order. The Business Records Protection Act (Ontario) (BRPA) was enacted in response to “aggressively extraterritorial, ‘long arm’” U.S. legislation. The BRPA prohibits removing business records from, or taking or sending them out of, Ontario, except in specific circumstances, including where such transfer “is provided for by or under any law of Ontario or of the Parliament of Canada.” Whether the BRPA could effectively block a U.S. order to disclose records to the U.S. government is uncertain. It has been suggested that “U.S. courts have not granted the statute high deference due in part to its lax enforcement.” A further complication is that to argue that the disclosure is blocked by the BPRA, the Ontario company holding the records would have to disclose the existence of the FISA order, breaching the Patriot Act and risking resulting penalties.Measures to Enhance Protection and Minimize Exposure
The secretive nature of the Patriot Act complicates measuring the effectiveness of steps taken to keep data held by U.S.-linked companies out of the reach of U.S. authorities. Certain measures may nonetheless be taken to attempt to enhance the protection of the data and minimize the Canadian organization’s exposure under Canadian privacy legislation.
According to the Office of the Privacy Commissioner of Canada, a company in Canada that outsources information processing to the United States, where it will be subject to U.S. laws, should notify its customers that the information may be made available to the U.S. government or its agencies under a lawful order made in that country.Such notification would give individuals the option of refusing to provide personal information if they object to risking its access by U.S. authorities. This approach may result in clients’ refusing to do business with the organization. On the other hand, such an approach could become a logistical nightmare for the organization if clients permit the organization to provide them with services, but refuse to allow certain pieces of their personal information to be disclosed to U.S.-linked companies. The organization would then be required keep track of the specific pieces of personal information that must be treated in a special manner.
Other approaches are found in the Master Services Agreement (the Agreement) between the B.C. government and its service provider, mentioned above. The terms of the Agreement were noted with approval by the B.C. Superior Court in dismissing the B.C. public servants’ union attempt to have that Agreement quashed. It is unknown, however, whether these measures will in fact insulate the data from the reach of the Patriot Act and U.S. authorities. These provisions include a trust structure under which the province would obtain the shares of the B.C. subsidiary providing the outsourcing services in case of a risk of disclosure. Other measures include restrictions on the use and control of electronic equipment and devices by employees.Conclusion
Until the U.S. government releases more information about the uses it might make of its Patriot Act powers, it will be difficult to determine how worried Canadian businesses should be and what should be done to protect the personal information of Canadians in the hands of U.S.-linked companies. In the meantime, by ensuring that clients are aware of when and how their information may be at risk of access by U.S. authorities, and by exploring other means of contractually protecting the data, Canadian CAs and their firms can help protect themselves to some degree from breaches of Canadian privacy legislation.
Wendy Gross is a partner in the Technology Department in the Toronto office of Torys LLP. She has extensive expertise in legal issues relating to privacy and data protection, security, domain names and other legal issues relating to the Internet and e-commerce, as well as in legal issues relating to marketing, advertising and contests.
Michelle Kisluk is an associate in the Corporate Department of Torys' Toronto office and a member of the Privacy Group. She has been involved in representing clients in providing advice on privacy law compliance.
 Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001, Pub. L. No. 107-56, 272 Stat. 115 [the Patriot Act].
 S.C. 2000, c. 5.
 Ibid. at Sch. I, principle 4.1.3. The provincial Acts also contain requirements that the organization protect the privacy of information when transferred to a third party.
 Note that PIPEDA does not apply to the personal information of employees of an organization, other than those employed in “Federal Works or Undertakings,” defined in PIPEDA to include banks, airlines and radio broadcasting stations. The provincial Acts of British Columbia, Alberta and Quebec do apply to employees, as does the proposed private sector privacy legislation for Ontario.
 Information and Privacy Commissioner for British Columbia, Privacy and the USA Patriot Act: Implications for British Columbia Public Sector Outsourcing (October 2004), online: Office of the B.C. Commissioner, <www.oipc.bc.ca/sector_public/usa_patriot_act/pdfs/report/privacy-final.pdf> [B.C. Commissioner Report].
 Ibid. at 132. The B.C. Commissioner’s findings on the implications of the Patriot Act prompted the B.C. government to amend its provincial public sector legislation, the Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165 [FOIPPA]. The amended FOIPPA restricts when personal information may be stored, accessed from or disclosed outside Canada and requires that a company report to the minister responsible for the Act a foreign demand for disclosure of personal information.
 Control has been interpreted as “the legal right, authority or practical ability to obtain the materials sought upon demand.” B.C. Commissioner Report, supra note 5 at 119, note 12, citing Bank of New York v. Meridien Biao Bank Tanzania, 171 F.R.D. 135 at 146 (S.D.N.Y. 1977). Note that this definition has not been applied in the context of the Patriot Act and it is therefore uncertain how it would apply in that context.
 Canadian Internet Policy and Public Interest Clinic (CIPPIC), Submission on the USA Patriot Act, which was made to the B.C. Commissioner (August 2, 2004), online: <www.cippic.ca/en/projects-cases/privacy/USAPatriotAct%20Submission.pdf> [the CIPPIC Submission].
 Supra note 1 at s. 215. “Tangible things” is defined in the section to include books, records, papers, documents, and other items.
 Ibid. at s. 218.
 CIPPIC Submission, supra note 8 at 6.
 Only recently, at the commencement of hearings on whether to let certain sections of the Patriot Act expire, has the U.S. government begun to release statistics about its use of Patriot Act powers. The government stated that 1,754 FISA warrants were approved in 2004, compared with 1,003 warrants in 2000, before the Patriot Act. “Secret U.S. court approved record number of terror warrants in 2004” (April 1, 2005), online: www.theglobeandmail.com/servlet/story/RTGAM.20050401.wsecre1/BNStory/International/?query=patriot+act .
 Supra note 1 at § 215(d). Note that although the Act itself does not set out penalties for breaches of § 215, “refusal to follow a judicial order constitutes contempt of court and is punishable by ‘fine or imprisonment’ at the discretion of the Court.” CIPPIC Submission, supra note 8 at note 21 (page 7), citing 18 U.S.C. § 401.
 B.C. Commissioner Report, supra note 5 at 108 and 118-20.
 Supra note 2 at s. 7(3)(c).
 Supra note 2 at s. 7(3)(c.1)(i).
 Supra note 2 at s. 7(3)(c.1)(ii).
 Submission to the B.C. Information and Privacy Commissioner by Michael Geist and Milana Homsi, The Long Arm of the USA Patriot Act: A Threat to Privacy? July 2004 at 20-25, online: <www.mgblog.com/resc/Geisthomsipatriotact.pdf >[Geist Submission].
 Ibid.at 20-21.
 Supra note 2 at s. 4.1(b).
 See note 4, above regarding the application of private sector privacy legislation to employees of an organization.
 R.S.O. 1990, c. B.19.
 Hunt v. T&N plc,  4. S.C.R. 289 at 328.
 Defined as “any account, balance sheet, profit and loss statement or inventory or any resume or digest thereof or any other record, statement, report, or material in any way relating to any business carried on in Ontario” (supra note 22 at s. 1).
 Ibid. The other enumerated circumstances are those in which the transfer (i) is part of a regular business practice of furnishing information to a head office or parent company outside Ontario; or (ii) is carried out in certain circumstances contemplated by the Securities Act.
 Geist Submission, supra note 18 at 31.
 Submission of the Office of the Privacy Commissioner of Canada to the Office of the Information and Privacy Commissioner for British Columbia, Transferring Personal Information about Canadians Across Borders: Implications of the USA Patriot Act, August 18, 2004, at 9, online:
 BC Govt Serv. Empl. Union v. British Columbia (Minister of Health Services), 2005 BCSC 446 [BC Union].
 Other provisions of the Agreement discussed in the BC Union decision include the following (ibid. at para. 66):
· a $35M penalty if there is a breach of confidentiality by the service provider;
· whistleblowing requirements and protection, contractually and legislatively (FOIPPA);
· employee training in respect of their legal duties.
· extensive FOIPPA provisions to ensure records are kept in private and in British Columbia;
· all information remaining the property of the province;
· the contractual provision prohibiting disclosure of provincial data;
· the service provider’s express agreement that it is subject solely to the laws of British Columbia and Canada.