Canadian information technology companies are players on a global stage. Few large information technology projects are restricted to only one country and any venture into electronic commerce invariably crosses borders. No ambitious Canadian IT company is content to narrow its sights to the domestic market. Lawyers advising these businesses have always had to maintain an awareness of legal developments elsewhere but the last few years have brought with them a range of new laws that affect their southward-looking clients. No area of law has seen as much change at that touching upon the protection of personal information.

The one law that has received the greatest publicity and, perhaps, the greatest scrutiny, is the USA Patriot Act, which was passed by the Congress within two months of the terrorist attacks of September 11, 2001. This law does not single out the technology industry but a number of its provisions have had a particular impact on cross-border services, regardless of the direction in which those services flow. Section 505 of the USA Patriot Act short-circuits ordinary search warrant requirements and allows the Federal Bureau of Investigation to have access to records such as financial records, credit reports, ISP logs and transactional records for intelligence, counter-intelligence and anti-terrorism purposes by use of a “national security letter”. The recipient of a national security letter is required to hand over the information requested and is specifically precluded from informing the individual concerned that the US government has sought access to the information. When information on Canadians is within the jurisdiction of the United States, privacy advocates fear that this information will be too-readily made available to law enforcement, who are able to dispense with the usual “probable cause” requirements. Information in the custody of a US company (or a subsidiary) in Canada may be within the Act’s jurisdiction.

In May of 2004, the Information and Privacy Commissioner of British Columbia initiated a public consultation on whether these provisions of the USA Patriot Act would infringe upon the privacy of British Columbians following an announcement by the BC Government that it would outsource the processing of medicare claims to a Canadian subsidiary of a US company. The request for submissions resulted in more than five hundred contributions from individuals and organizations throughout Canada.

As was pointed out in a number of submissions to the BC Commissioner, personal information has always been available for law enforcement, intelligence and anti-terrorism investigations, regardless of where the information actually resides. The principal effect of the BC Commissioner’s report was to shine a spotlight on the cross-border sharing of personal information and to raise awareness – some might say paranoia – about Canadian personal information being stored in the United States. The attention to the issue spawned significant changes to the BC public sector privacy law and put government outsourcing under the microscope. Many outsourcing customers, government included, are now including language to prohibit the transfer of personal information outside of Canada, and in some cases outside the home province of the customer.

Legal changes in California’s privacy laws are spilling over to other states and are having an impact upon Canadian technology companies. California’s trail-blazing consumer privacy law, which has been followed in a number of US states, requires that organizations notify affected individuals whose personal information may have been compromised or accidentally disclosed. The California law is intended to operate extra-territorially. These laws not only place the company in the uncomfortable position of having to notify customers, but also provide penalties for failing to do so. The California law in particular has prompted the recent deluge of public disclosures of privacy and security breaches in the United States and has also increased consumer expectations on both sides of the border. Similar provisions have found their way into Ontario’s relatively new Personal Health Information Protection Act and the concept of mandatory notification will undoubtedly be considered as part of the five year review of the Personal Information Protection and Electronic Documents Act.

In an era in which privacy and security are perceived to be clashing on a regular basis and in which identity theft is characterized as one of the fastest-growing crimes, it should not be surprising that technology lawyers have to grapple with privacy on a more regular basis as both a customer-relations issue and as a significant regulatory concern. At least a baseline knowledge of the legal regimes on both sides of the border are necessary to get a sense of the big picture for advising clients.

Labels: bc, breach notification, health information, identity theft, information breaches, outsourcing, patriot act, phipa