B.C. moves to keep outsourced data safe from U.S. Patriot Act

Province doesn't want personal data managed by outsourced firm landing in the hands of foreign government agencies

Due to fears the USA Patriot Act might be used by authorities south of the border to access confidential information, at least one province has moved to prevent outsourced records from leaving Canada.

British Columbia introduced Bill 73 last month, which amends the province’s Freedom of Information and Protection of Privacy Act to require government and public-sector organizations to ensure personal data managed by outsourced firms cannot land in the hands of foreign government agencies such as the FBI. The bill does not apply to the private sector.

The province’s privacy commissioner has been studying the impact of the USA Patriot Act on data stored or processed by service providers with affiliations in the United States. Bill 73, however, was tabled before commissioner David Loukidelis issued his report. (For Loukidelis’ findings, click on the related articles link below.) While the government has been criticized by the Opposition for not waiting for the commissioner’s report, it has indicated it will look at including recommendations.

The B.C. Government and Service Employees’ Union (BCGEU) brought the issue to Loukidelis early this year when B.C. decided to contract out the administration of the Medical Services Plan, the province’s health insurance plan, to a U.S.-based firm.

While the union, opposed to data outsourcing in general, is concerned Bill 73 doesn’t go far enough in protecting data, outsourced service providers see it as an overreaction.

Minister of Management Services Joyce Murray said the government recognized the “largely theoretical” risk that U.S. authorities would use Patriot Act powers to force U.S.-linked outsourcing firms to grant access to personal information.

“The reason we call it a theoretical risk is the United States has other channels for obtaining information to counter terrorist activities,” said Murray, pointing to existing tools such as the mutual legal assistance treaty used by the two countries to share information.

Murray added the province wants to close any loopholes in its privacy legislation that would allow a U.S. law enforcement organization to “reach around” existing protections.

Brian Gardiner, a spokesperson for the BCGEU, said the surest way to protect data is not to outsource data processing altogether. The union is concerned the bill would not stop a U.S.-headquartered outsourcing firm from complying with orders from U.S. authorities.

This argument was echoed in a submission to Loukidelis from the American Civil Liberties Union, which stated: “From a practical point of view, there is little preventing a law enforcement officer who has gained a search warrant for a corporation’s records from searching records that are not held within the United States.” The civil liberties union was asked by the BCGEU to make a submission.

Submissions by business process service providers such as EDS Canada and Microsoft Canada stressed the unlikelihood that U.S. authorities would use the Patriot Act in this manner. One lawyer writing at the request of EDS Canada noted that section 215 of the act has been used only once since the act was made law in the months after the September 11 terrorist attacks.

Maximus, the U.S.-based contractor selected to process B.C.’s health insurance program, said in its submission that Canada’s Anti-Terrorism Law is similar to the Patriot Act in setting out lower standards for search warrants as well as allowing for “sneak-and-peek” search warrants. Plus, the province’s privacy law already allows for disclosure of personal information for the purpose of law enforcement. Given these mechanisms, U.S. authorities can gain access to personal information without resorting to the Patriot Act, said Maximus.

Bernard Courtois, president and CEO of the Information Technology Association of Canada (ITAC), said the Patriot Act issue is “a bit of a red herring.”

Even if data were to be stored in the U.S., said Courtois, service providers will resist access orders and send information requests to the clients who retain control of the information.

“We don’t think that the Patriot Act is justification for keeping data within one country. Imagine if every country does that, the efficiency and skills that the outsourcing industry brings to businesses and governments around the world will be impeded.”

Michael Geist, University of Ottawa law professor, said the issue isn’t that clear-cut.

“Until it is tested by a U.S. court, there will be some questions about the willingness of those courts to respect the Canadian law,” said Geist. “Companies could still find themselves facing conflicting obligations should a U.S. court order disclosure, while the Canadian law prohibits the same disclosure.”

He noted also that concerns about the Patriot Act aren’t limited to situations where information is outsourced.

“The Patriot Act issues apply equally to private-sector companies subject to U.S. jurisdiction — that would include U.S. companies with Canadian operations as well as Canadian companies with a U.S. presence.”

Federal privacy commissioner Jennifer Stoddart, in her submission, said this debate speaks directly to the question of Canadian sovereignty. She called for further dialogue between the private sector and governments on the issue.

The commissioner is also investigating a notice sent to CIBC Visa customers warning that their financial records could be disclosed under U.S. laws.




FBI’s expanded powers

The USA Patriot Act (an acronym for the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act) was passed in the first few months after the attack on the World Trade Center and designed to minimize information-gathering hurdles for law enforcement agencies.

Of particular concern to civil liberties watchdogs is Section 215, which allows the FBI director to order individuals and organizations to produce “any tangible things” for the purpose of “an investigation to protect against international terrorism or clandestine intelligence.” Individuals or organizations served with an order are prohibited from disclosing the existence of such an order.

To read the full story, login below.

Not a subscriber?

Start your subscription today!