Disclosing Personal Information Across the Border
Christopher Guly for The Lawyers Weekly
May 14, 2010
B.C. government wants to permit transborder flow of personal data
Six years ago, the B.C. government tightened its privacy law to prevent the public sector from disclosing personal information beyond Canada's borders. Now the provincial government wants to loosen that restriction on the storage and access of information outside the country.
As part of a comprehensive review of the Freedom of Information and Protection of Privacy Act (FIPPA)
- which must be undertaken at least every six years - the B.C. government has proposed several amendments to reflect the fact that the world is a very different place than when the legislation first came into force in October 1993. (B.C. and Nova Scotia are the only Canadian jurisdictions that have public-sector laws restricting the transborder flow of personal information out of Canada.)
One of the changes would involve amending provisions in the law that prohibit, with a few exceptions, the storage of information outside of Canada, to reflect developments in information technology (IT) and "advancements that make jurisdictional boundaries artificial, including social networking and other Internet tools and mechanisms that can promote stronger citizen engagement, and to take advantage of commercial and economic opportunities for storage and management of information, including 'cloud computing.'?"
To achieve those objectives, B.C. lawmakers will have to open a legislative door locked in 2004 when the Act was amended to address what were billed at the time as concerns regarding cross-border access to public-sector sharing of personal information about the province's residents. The "fear" that precipitated the restriction was that American law-enforcement officials would be able to use the 2001 USA Patriot Act
or some other legal mechanism to approach a U.S.-based entity, such as Google's Gmail service, to obtain information about foreigners in the post-9/11 war against terrorism, according to Ottawa privacy lawyer Kris Klein
. He served as litigation counsel in the Office of Canada's Privacy Commissioner
from 2005 to 2007.
In fact, he says that U.S. authorities have reportedly only relied on the Patriot Act 87 times through to the end of 2008, and it's unknown whether any of those instances involved information on Canadians.
Klein explains that an underlying reason behind the legislative amendment six years ago was that the B.C. Government and Services Employees' Union
opposed the provincial government's plans to contract out IT services and took legal action, including an unsuccessful bid before the B.C. Supreme Court to challenge a government contract for the administration of residents' health records with Virginia-based government services company MAXIMUS Inc.
"The union complained that outsourcing was unfair because it took jobs out of B.C. and came up with a good argument that it would result in transferring sensitive information to the United States where the FBI could have access to it," says Klein, who is considered one of the country's leading experts on Canadian access to information and privacy legislation. "But politicians passed the law without truly understanding what they were doing, nor did they truly understand the nature of data in today's world."
The government seems to now have a better grasp of communication in the 21st century. In a submission to the special committee studying FIPPA, it explained that B.C. Ministry of Children and Family Development
staff "have identified the use of Facebook and other social media tools as a method to engage today's youth on their own terms, enabling the establishment and continuation of communications with individuals who may be difficult to access through traditional methods of communication.
"While practice will minimize the scope and sensitivity of personal information involved, any communication via a social media site involves disclosure of government information to the third-party service provider."
That information, as the government document points out, is typically stored outside of Canada, since most, "if not all, social media sites operate in other jurisdictions."
The B.C. government says that while the requirement to store personal information inside Canada emerged from the concern that citizens' data could be accessed through the USA Patriot Act, "it is difficult to see how the information in question [such as a child and youth mental health clinician communicating with a youth client] would be of any relevance to U.S. national security, and therefore is unlikely to be accessed by the U.S. government under the USA Patriot Act or any other government under similar legislation."
So to help ministry caseworkers use new technologies and Internet tools to connect individuals with services - or find family members, as in the case of children in care - the provincial Liberal government proposes to add a provision to FIPPA that would enable disclosure of personal information "inside or outside of Canada for the purpose of enhancing engagement with citizens."
In addition, the government wants to refine the legislation "to address storage of information intended for a first party but exposed to and stored by a third party social media service provider."
However, in his submission to the special legislative committee reviewing FIPPA, former Canadian Bar Association
president Paul Fraser, who serves as B.C.'s acting Information and Privacy Commissioner, recommended that the government "not proceed with any more data sharing initiatives until a meaningful public consultation process has occurred, and the outcome of that process is an enforceable code of practice for data-sharing programs."
He also called on the government to appoint its own chief privacy officer. Sara Levine
, a Vancouver privacy lawyer who practises law with four other lawyers in the virtual firm, Alliance Lex, says that it is not unreasonable for the provincial government to find "novel methods" to reach residents who require access to social services and who might not have mailing addresses or phone numbers. "But a wholesale change of the law may be too blunt an instrument and a more targeted analysis, facilitated by a chief privacy officer for the province, might be a more practical solution to protecting individual rights and enhancing client service," says Levine, who does pro bono work for the Vancouver-based B.C. Freedom of Information and Privacy Association
. The association wants FIPPA amended to ensure that personal information, "created by or in the custody of a service provider under contract to a public body," is controlled by that public body for which the contractor is providing services - and remains in Canada.
Klein has also made a submission to the special legislative committee on behalf of Salesforce.com Inc., an Internet-based business service, headquartered in San Francisco, which allows government departments and agencies to input, store and access data about their clients through a process known as cloud computing.
He argued that B.C. public sector agencies "are missing out on innovation and efficiencies afforded by modern outsourcing arrangements" in an information age where "the value derived from data depends on its fluid nature." As well, public-sector organizations "unnecessarily spend significant sums of money to keep data inside of Canada," when outsourcing could provide considerable savings for B.C. taxpayers.
Furthermore, the protection the prohibition in FIPPA affords is "illusory," says Klein, who points out that B.C. bureaucrats have effectively been breaking the law if they've sent messages containing personal information to residents with a Yahoo, Gmail or other email address - or via Twitter - which are connected to servers outside Canada.