Cross-Border Privacy Issues and the USA Patriot Act Presentation for INSIGHT Montréal December 7-8, 2005 Charles Morgan

Overview IOverview of the USA PATRIOT Act IIRecent Cross-Border Privacy Developments IIIImpact and Mitigation of Risks

IOverview of the USA PATRIOT Act Implications for Cross- Border Privacy

What is the U.S.A PATRIOT Act? “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism” Anti-terrorism legislation enacted by the U.S. Congress shortly after September 11, Expands the intelligence-gathering and surveillance powers of law enforcement and national security agencies by amending the U.S. Foreign Intelligence Surveillance Act (“FISA”). FISA grants U.S. authorities the power to gather intelligence on foreign agents in the U.S. and abroad. Under FISA, the Foreign Intelligence Surveillance Court (“FIS Court”) has the power to issue secret ex parte orders allowing U.S. authorities to gather information from third parties. Failure to comply with a FISA order and to keep its existence secret, is an offence in the United States.

U.S.A PATRIOT Act: s. 215 Section 215 of the Patriot Act did not create a new jurisdiction to compel the production of records, but rather amended a pre-existing provision of FISA. Three changes were made:  Prior to the enactment of s.215, the FIS Court could compel common carriers, public accommodation facilities, physical storage facilities or car rental facilities to produce their business records. Section 215 now authorizes the production orders to any person or entity;  Section 215 modified the former requirement that the information sought related to “a foreign power or an agent of foreign power”. It now applies to any individual or organization that is relevant to an investigation of “international terrorism or clandestine intelligence activities”; and  Section 215 changed the scope of items that may be obtained from “records” to “any tangible things” (including books, papers, records, documents, and other items”).

U.S.A PATRIOT Act: s. 218 Section 218 has changed the standards used by the FIS Court before approving an application for electronic surveillance or physical search. The previous standard required certification by a security official that the physical search or electronic surveillance was for the sole purpose of foreign intelligence information. Section 218 now expands the criteria by requiring that a significant purpose of the intended surveillance or search is to obtain foreign intelligence information.

National Security Letters Section 505 amends certain provisions of the Electronic Communications Privacy Act, the Right to Financial Privacy Act, and the Fair Credit Reporting Act making it easier to obtain National Security Letters (“NSLs”). A NSL is an administrative subpoena that permits an FBI supervisory official to request particular records that relate to counterintelligence or terrorism investigations from third parties, such as telephone and Internet activity records (available under 18 USCS § 2709), as well as financial and credit records from banks and other financial institutions (available under 12 USCS § 3414).

National Security Letters The Director of the FBI may now issue an NSL permitting the FBI to obtain certain records in circumstances where those materials are “relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities”. A recent case held that the secrecy associated with NSL process is inconsistent with the First Amendment to the US Constitution. Doe and ACLU v. Ashcroft, 2004 U.S. Dist. Lexis (S.D.N.Y. 2004)

Jurisdiction to Make Production Orders The test is one of control of the documents sought to be produced. The expression “control” means not only the legal right to obtain the documents but also whether the United States business has “access to the document” or “the legal right, authority or practical ability to obtain the materials sought upon demand”. Neither location within the US or actual possession by the US entity is necessary.

Jurisdiction to Make Orders to Produce Documents Held by Affiliate Entities “Courts in the United States have generally held United States corporations responsible for production of documents located abroad in the possession of their foreign branches or subsidiaries, unless a defence, such as an effective blocking order, is applicable where the information is located.” The Restatement (Third) of the Foreign Relations Law of the United States

New Act, Old Concept Once personal information about Canadians is transferred outside Canada the laws of the country to which the information has been transferred will generally apply to determine when government agencies and authorities can obtain access to that personal information. The USA PATRIOT Act is relatively new, but the concept behind the legislation is not. The Act is one example of a law that can give the US government or its agencies access to personal information about Canadians that has been transferred to the United States, e.g. National Security Letters, grand jury subpoenas.

MLAT Alternative If the FBI desires to obtain records held by a Canadian affiliate of a U.S. company, it would be likely to rely on the bilateral treaty between the United States and Canada known as the Mutual Legal Assistance Treaty (the "MLAT”).

IIRecent Cross-Border Privacy Developments

Recent Cross-Border Privacy Developments There have been 3 Patriot Act-related events in BC worth briefly mentioning  Privacy Commissioner report on public sector outsourcing and the Patriot Act  Freedom of Information and Protection of Privacy Act (“FOIPPA”) amendments  BC government litigation re: Ministry of Health outsourcing

BC Information & Privacy Commissioner’s Report After receiving more than 500 submissions from across Canada, the Information and Privacy Commissioner of B.C., David Loukidelis, released the Patriot Act Report on October 9, Commissioner concluded that FOIPPA required public bodies, directly or through their contractors, to implement reasonable, but not absolute, security arrangements to protect personal information against risks, including risk of unauthorised disclosure The Commissioner concluded there is a “reasonable possibility” that the FIS Court would issue a FISA order requiring a U.S.- located corporation to produce records held in Canada by its Canadian subsidiary. Despite this concern, the Commissioner also concluded that a ban on outsourcing would neither be practical nor effective. Instead, he recommended that other measures be implemented at legislative, contractual and practical levels to mitigate, though probably not eliminate, the risk of unauthorized disclosure in response to a FISA order or national security letter.

Potential Scope of the Order “Any data transmission to or through the U.S. would be subject to electronic surveillance provisions of American law. Depending on how outsourcing contracts are written, they may permit electronic transmission of data to or through the U.S. This could happen on data backup or processing, or simply by internet transmissions routed through the U.S. The broad surveillance provisions of the USA Patriot Act, now available for purposes other than investigating terrorism, would then jeopardize the privacy rights of British Columbians.” Patriot Act Report at p 72 citing submission of the BC Government and Services Employee’s Union

Effect of Contractual and Practical Steps to Avoid Disclosure “We do not suggest that public bodies cannot or should not implement contractual or practical arrangements relating to control. To the contrary, we recommend that such arrangements be put into place. This is because, despite the cases in which corporate ownership is enough to establish control over records, other cases suggest that such measures might influence the control issue.” “Any contractual and practical measures to keep personal information out of the control of a US-located parent corporation would also speak to British Columbia public policy respecting the privacy of personal information. This is important because, even if a US court decides that records located outside the US are controlled by a US-located corporation, it will apply a balancing test to decide whether it should order disclosure in the face of foreign law that prohibits disclosure.” Patriot Act Report at

FOIPPA Amendments In the Fall of 2004, prior to the release of the Commissioner’s report, the B.C. government made several amendments to FOIPPA, including:  personal information, including information that is disclosed to service providers, in the custody or control of a public body must be stored and accessed only in Canada, unless specifically stated otherwise;  limits purposes for which a public body may disclose personal information outside of Canada;  no grandfathering: the public authority shall use all reasonable efforts to comply with the new disclosure rules as soon as reasonably possible;

FOIPPA Amendments  requires public bodies and service providers to report to the Minister any foreign demand for unauthorized disclosure of personal information (i.e. not authorized under FOIPPA)  a new “whistle-blower” protection has now been implemented for individuals who report a foreign demand for disclosure of personal information; and  additional offences have been created for violation of the new privacy protection provisions (for example, fines of up to $500,000 for a corporation, up to $25,000 for a partnership or individual service provider, and up to $2,000 for an employee).

The Maximus Decision March 14, 2005 decision, BC Government Service Employment Union v. British Columbia (Minister of Health Services) (“Maximus”) considered the Patriot Act and outsourcing in British Columbia. Petition by the BCGEU to stop the outsourcing of certain health benefit operations by the British Columbia government to British Columbia subsidiaries of a U.S. publicly traded company (MAXIMUS Inc.). The union’s petition was dismissed on other grounds, but court went on to consider the privacy issues raised by the union.

Maximus privacy findings The following paragraphs from Justice Melvin’s decision highlight the relevance in Canada of the Patriot Act but at the same time make it clear that the Patriot Act is not a bar to outsourcing transactions in Canada: “[65] Accepting that a FISA court in the United States, acting under s. 215 of the Patriot Act, would order Maximus U.S. to produce records and further accepting that the order would have extra territorial application in respect of Maximus U.S. subsidiaries, the issue still is which records are under control of Maximus U.S. and does Maximus U.S. have access? The opinions differ. However, I accept that the contractual provisions, the corporate structure, and the legislative provisions provide more than reasonable security with respect to records in British Columbia.”

Maximus privacy findings “[67] Although the experts’ evidence differs as to whether or not there is a likelihood of a U.S. Patriot Act application and order under s. 215 in relation to Maximus U.S. or any of its Canadian subsidiaries, and the effect of that order, in my opinion when one analyzes the contract and the legislation it is clear that parties to this arrangement have taken all reasonable steps to ensure the confidentiality of the information which Maximus will receive in order to discharge its contractual obligations. Privacy is not absolute.”

Other Recent Activity Events relating to the Patriot Act in Canada have not been exclusive to British Columbia. In December, 2004 the government of Alberta announced that they would be conducting their own review of the Patriot Act and its impact on privacy in Alberta. The federal government also announced in early 2005 that they were considering implementing contractual provisions going forward that would address Patriot Act concerns. In October 2005, Jennifer Stoddart announced that the federal (public sector) Privacy Act should be substantially amended in light of recent developments  « privacy threats multiplying like a bad virus, threatening to overwhelm us... »  « voracious appetite for personal information and surveillance in post-9/11 environment » Amendments to FOIPPA amendments under consideration

III Impact and Mitigation of Risk

Impact? Level playing field as between « entirely Canadian » corporate structures and Canadian subsidiaries of US entities? Structural and contractual adjustments Free transborder flow of personal information will be slowed/curtailed

Eliminate Access by US Entities Prevent U.S. entities from having access to or control over personal information. Consider need to prevent access by US employees and contractors. Contracts between employees and US parent should address handling of data including restrictions on disclosure to U.S. entities. Employees should receive appropriate training regarding the applicable processes relating to access to and control of data.

Technical Measures Use technical and business processes that limit the likelihood that information will used other than as desired. Identify and segregate personal data. Limit access to those persons with a need to know to reduce the risk of intentional or inadvertent disclosure. Use appropriate security mechanisms to limit data being removed from premises in physical or electronic forms.

Structural Approaches Contractual relationships in which Canadian data is accessible only by an entity unrelated to any U.S. company, and a U.S. company by contract provides services or support to the Canadian entity. Corporate structural approaches in which the Canadian data is accessed by an entity that is an affiliate of the U.S. company but over which the U.S. company does not have control e.g., proxy relationships, limited partnerships, non-voting equity structures, etc.

Contractual Obligations with US Provider Some US cases suggest that contractual or practical arrangements may influence a US court’s findings regarding control and be effective. Use contractual terms to ensure that the customer has the exclusive right, power and authority to control the use and disclosure of personal information to third persons, and to obtain agreement that physical possession of personal information is provided to the outsourcer/service provider as a trustee for the sole benefit of the customer solely to provide the services. A court could declare the contractual restrictions to be void as against U.S. public policy or might refuse to enforce the provision.

Notify Customers and Obtain Consents Notify customers that the information may be available to the US government or its agencies under a lawful order made in that country Consider referencing « compliance with Canadian law » in consent as a further barrier to unfettered response to USA Patriot data request

Q & A