Those who handle individuals’ personal information, including financial details, in the course of business are required to treat that information in accordance with Canada’s privacy laws. This includes obtaining each individual’s consent to the purposes for which, and persons to whom, this information is disclosed. If this information is transferred for storage or processing, or otherwise shared with a U.S. or U.S.-controlled Canadian company (collectively, a “U.S.-linked” company), there is a risk that the U.S.-linked company could be compelled to disclose that information to U.S. authorities without the individual’s knowledge or consent. While the risk of access by U.S. authorities has always been present, the introduction of U.S. anti-terrorism legislation has raised concerns about the increasing ease and secrecy of that access, as well as its interaction with Canada’s privacy laws.
How Information-Sharing with U.S.-Linked Companies May Breach Canada's Laws
The USA PATRIOT ACT [Act of 2001, Pub. L. No. 107-56, 272 Stat. 115] was introduced in the wake of the events of September 11, 2001 as a means of increasing the U.S. government’s ability to intercept and obstruct terrorist communications and activities. To this end, the Patriot Act facilitates, among other things, the ability of U.S. authorities to conduct searches and to seize or compel the disclosure of records. The implications of the Patriot Act on Canadian businesses and the security of Canadians’ personal information, while still somewhat unknown, are highly relevant to any business that handles Canadians’ personal information and shares or transfers that information to U.S.-linked entities.
The Private Sector Privacy Landscape in Canada
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) requires organizations engaged in commercial activities to obtain individuals’ consent to the collection, use or disclosure of their personal information. In Alberta, British Columbia and Quebec, provincial private sector privacy legislation has been deemed substantially similar to PIPEDA, and applies within the province in its place. Disclosure of personal information to a third party without the individual’s consent constitutes a breach of these laws, except in specified circumstances.
When personal information held by an organization is transferred to a third party for processing, the organization’s responsibility for that information continues, and it must provide protection while the information is in the hands of that third party. [Ibid. at Sch. I, principle 4.1.3.] This obligation is met by, for example, including provisions in outsourcing contracts that limit the third party’s use or disclosure of the information.
Note that PIPEDA does not apply to the personal information of employees of an organization, other than those employed in “Federal Works or Undertakings,” defined in PIPEDA to include banks, airlines and radio broadcasting stations. The provincial Acts of British Columbia, Alberta and Quebec do apply to employees, as does the proposed private sector privacy legislation for Ontario.
The Information and Privacy Commissioner of British Columbia (the B.C. Commissioner) undertook extensive consultations resulting in a report on the Patriot Act’s implications on the B.C. government’s decision to outsource to a U.S.-linked firm certain healthcare provision functions for members of its public servants’ union. The B.C. Commissioner found that the Patriot Act could possibly be used to compel disclosure of information outsourced to a U.S.-linked company, in breach of the B.C. government’s obligations under the provincial public sector privacy legislation.[Ibid. at 132] Although the situation in British Columbia arose in relation to public sector privacy legislation, Patriot Act powers could be applied equally to information transferred by Canadian private sector entities to U.S.-linked organizations, risking the security of that data and a possible breach of Canadian private sector privacy legislation.
The Patriot Act
Prior to the passage of the Patriot Act, Canadians’ personal information in the custody or control of U.S.-linked organizations could be accessed by U.S. authorities by other means, such as national security letters or grand jury subpoenas, or through governmental channels. Control has been interpreted as “the legal right, authority or practical ability to obtain the materials sought upon demand.” B.C. Commissioner Report, supra note 5 at 119, note 12, citing Bank of New York v. Meridien Biao Bank Tanzania, 171 F.R.D. 135 at 146 (S.D.N.Y. 1977). Note that this definition has not been applied in the context of the Patriot Act and it is therefore uncertain how it would apply in that context.
The Patriot Act, it has been suggested, simply “broadened the scope and lowered the standard for the issuance of such orders.”[Canadian Internet Policy and Public Interest Clinic (CIPPIC), Submission on the USA Patriot Act, which was made to the B.C. Commissioner (August 2, 2004)]
The Patriot Act amended the Foreign Intelligence Surveillance Act (FISA) to permit the FBI to seek orders from the secret FISA Court requiring the production of “tangible things” relevant to “an investigation to protect against international terrorism or clandestine intelligence activities.”[Supra note 1 at s. 215. “Tangible things” is defined in the section to include books, records, papers, documents, and other items.] The Patriot Act also lowered the standard for a FISA order: from foreign-intelligence gathering being “the purpose” of the search or surveillance to its being “a significant purpose.”[Ibid. at s. 218.] These changes, among others, have raised concern that the Patriot Act will allow “the U.S. government to engage in large-scale fishing expeditions.”[CIPPIC Submission , supra note 8 at 6.]
As a result of the secrecy in which the FISA Court operates, little information is available on how these provisions have been used. Furthering the secrecy of FISA orders is the prohibition on an organization from disclosing that it has received or disclosed information under a FISA order.[Supra note 1 at § 215(d). ] This means that the U.S.-linked company receiving the order may not tell the organization or relevant individuals that gave it the information that the information was requested by or disclosed to U.S. authorities.
Interaction Between the Patriot Act and Canada’s Privacy Laws
Once Canadians’ personal information is transferred to the United States, it is subject to U.S. law, including the Patriot Act. Whether the Patriot Act could be used to compel a U.S. parent to disclose records held by a Canadian subsidiary remains a matter of debate. The B.C. Commissioner Report found that it is a “reasonable possibility” that the FISA Court would order production of documents that are within the custody or control of a U.S. company, such as a U.S. parent with access to records held by a Canadian subsidiary. [B.C. Commissioner Report, supra note 5 at 108 and 118-20.]
If a U.S.-linked company makes a disclosure to U.S. authorities without the consent of the Canadian individuals named, this could result in the Canadian organization that transferred the information breaching Canadian privacy legislation unless the disclosure meets an exception in the applicable Canadian privacy legislation.
PIPEDA permits disclosure without consent in certain circumstances, including:
- when an organization is required to comply with a court order to compel the production of information;[Supra note 2 at s. 7(3)(c).]
- when the disclosure is to a government institution in response to a request for information related to national security or international affairs;[Supra note 2 at s. 7(3)(c.1)(i).] or
- for the purpose of enforcing a law of Canada or of a foreign jurisdiction.[Supra note 2 at s. 7(3)(c.1)(i).]
PIPEDA does not expressly limit these exceptions to Canadian court orders or governmental institutions. If these exceptions do permit disclosure to foreign authorities without consent, Patriot Act orders would not violate PIPEDA. If, however, the PIPEDA exceptions do not apply to requests from foreign governmental authorities, compliance with such orders would violate PIPEDA.[Submission to the B.C. Information and Privacy Commissioner by Michael Geist and Milana Homsi, The Long Arm of the USA Patriot Act: A Threat to Privacy? July 2004 at 20-25] Unfortunately, adding to the uncertainty surrounding the Patriot Act, the application of these exceptions to foreign orders or institutions has not yet been clarified by either PIPEDA or the Privacy Commissioner.[Ibid.at 20-21.]
The need for clarity on the interaction between PIPEDA and the Patriot Act becomes apparent in the many instances that could arise in the course of business. For example, personal client information held by the Canadian office of an international accounting firm on a shared database, and accessible to colleagues in its U.S.-linked company, may constitute custody by the U.S.-linked company and could lead to it being ordered to produce that information to U.S. authorities.
In provinces where privacy legislation applies to employees of an organization, or in certain federal operations in which PIPEDA applies to employee information,[Supra note 2 at s. 4.1(b).] including banks and telecommunication companies, issues may arise with respect to employees’ personal information being put in the hands of U.S. authorities without employees’ knowledge or consent. For example, an in-house accountant who outsources the company’s payroll or benefits processing to a U.S.-linked firm is, arguably, making employees’ personal information accessible to U.S. authorities. This may constitute a breach of the applicable privacy legislation by the employer organization.
A practical implication of the Patriot Act may be that individuals will choose to deal with businesses that do not share their information with U.S.-linked affiliates or service providers. With heightened media attention given to the reach of the Patriot Act, and therefore increasing awareness of the Act, as well as its inherently political nature, clients may be scared off by the hype—even if in practice the result is not that different than before the Patriot Act.
The Business Records Protection Act
Even if the disclosure is permitted by PIPEDA, other statutes may block compliance with a FISA order. The Business Records Protection Act (Ontario)[R.S.O. 1990, c. B.19.] (BRPA) was enacted in response to “aggressively extraterritorial, ‘long arm’”[Hunt v. T&N plc,  4. S.C.R. 289 at 328.] U.S. legislation. The BRPA prohibits removing business records from, or taking or sending them out of, Ontario, except in specific circumstances, including where such transfer “is provided for by or under any law of Ontario or of the Parliament of Canada.”[ Ibid.] Whether the BRPA could effectively block a U.S. order to disclose records to the U.S. government is uncertain. It has been suggested that “U.S. courts have not granted the statute high deference due in part to its lax enforcement.”[Geist Submission, supra note 18 at 31.] A further complication is that to argue that the disclosure is blocked by the BPRA, the Ontario company holding the records would have to disclose the existence of the FISA order, breaching the Patriot Act and risking resulting penalties.
Measures to Enhance Protection and Minimize Exposure
The secretive nature of the Patriot Act complicates measuring the effectiveness of steps taken to keep data held by U.S.-linked companies out of the reach of U.S. authorities. Certain measures may nonetheless be taken to attempt to enhance the protection of the data and minimize the Canadian organization’s exposure under Canadian privacy legislation.
According to the Office of the Privacy Commissioner of Canada, a company in Canada that outsources information processing to the United States, where it will be subject to U.S. laws, should notify its customers that the information may be made available to the U.S. government or its agencies under a lawful order made in that country.[Submission of the Office of the Privacy Commissioner of Canada to the Office of the Information and Privacy Commissioner for British Columbia, Transferring Personal Information about Canadians Across Borders: Implications of the USA Patriot Act , August 18, 2004, at 9
Such notification would give individuals the option of refusing to provide personal information if they object to risking its access by U.S. authorities. This approach may result in clients’ refusing to do business with the organization. On the other hand, such an approach could become a logistical nightmare for the organization if clients permit the organization to provide them with services, but refuse to allow certain pieces of their personal information to be disclosed to U.S.-linked companies. The organization would then be required keep track of the specific pieces of personal information that must be treated in a special manner.
Other approaches are found in the Master Services Agreement (the Agreement) between the B.C. government and its service provider, mentioned above. The terms of the Agreement were noted with approval by the B.C. Superior Court in dismissing the B.C. public servants’ union attempt to have that Agreement quashed.[BC Govt Serv. Empl. Union v. British Columbia (Minister of Health Services), 2005 BCSC 446 [BC Union].] It is unknown, however, whether these measures will in fact insulate the data from the reach of the Patriot Act and U.S. authorities. These provisions include a trust structure under which the province would obtain the shares of the B.C. subsidiary providing the outsourcing services in case of a risk of disclosure. Other measures include restrictions on the use and control of electronic equipment and devices by employees. Other provisions of the Agreement discussed in the BC Union decision include the following (ibid. at para. 66):
- a $35M penalty if there is a breach of confidentiality by the service provider;
- whistleblowing requirements and protection, contractually and legislatively (FOIPPA);
- employee training in respect of their legal duties.
- extensive FOIPPA provisions to ensure records are kept in private and in British Columbia;
- all information remaining the property of the province;
- the contractual provision prohibiting disclosure of provincial data;
- the service provider’s express agreement that it is subject solely to the laws of British Columbia and Canada.
Until the U.S. government releases more information about the uses it might make of its Patriot Act powers, it will be difficult to determine how worried Canadian businesses should be and what should be done to protect the personal information of Canadians in the hands of U.S.-linked companies. In the meantime, by ensuring that clients are aware of when and how their information may be at risk of access by U.S. authorities, and by exploring other means of contractually protecting the data, Canadian CAs and their firms can help protect themselves to some degree from breaches of Canadian privacy legislation.