© 2004, Deeth Williams Wall LLP. All Rights Reserved. By: Jason Young, Student at Law (November 10, 2004)

On October 19, 2004, British Columbia passed Bill 731 amending the Freedom of Information and Protection of Privacy Act ("the FOIPP Act")2 to restrict the disclosure of personal information outside Canada and expand the scope of personal liability and sanctions for contraventions of the Act. The move was in response to fears that the increasing trend of public organizations to outsource data processing and management might render personal information outsourced to foreign jurisdictions vulnerable to uses not consistent with Canadian law.

Earlier this year, the British Columbia Government and Service Employees' Union ("BCGEU") filed a lawsuit against the provincial government in light of its plan to retain a US-linked contractor to run the province's public health insurance program. The suit was launched to protect union jobs, but health information is a touchstone for privacy and when the union raised the privacy flag, it quickly stirred a wider public interest in the impact that post-September 11 anti-terrorism measures might have for personal information outsourced to other jurisdictions, particularly the United States.

In response, British Columbia's Information and Privacy Commissioner launched a public consultation into the ramifications of the USA PATRIOT Act (the "Patriot Act") in the spring. Underlining the sensitivity of the issue, the Commissioner received over 500 submissions from ordinary citizens, governments and public interest groups, and provincial, national and even international data protection commissioners. The Commissioner released his report on October 29, 2004 which commended the provincial government for taking a leadership position in addressing some of the problems associated with outsourcing, but recommended increased clarification of certain areas of the FOIPP Act and his powers to oversee it3.

What is the Patriot Act?

The U.S. Congress enacted the Patriot Act shortly after September 11, 2001, to expand the intelligence gathering and surveillance powers of law enforcement and national security agencies. The law allows U.S. authorities to obtain records and other "tangible things" to protect against international terrorism and other clandestine intelligence activities and requires that foreign intelligence gathering need only be "a significant purpose" for the search4, rather than the only purpose. This change leaves open a back door for enforcement of ordinary criminal and regulatory laws5.

The law also expands the circumstances under which the FBI can issue "national security letters" to compel financial institutions, phone companies and Internet service providers to secretly disclose information about their customers. There is no independent oversight of the demand authority and the FBI is required only to establish that the information it seeks is relevant to an authorized intelligence investigation. Until recently, third party recipients of such letters were permanently barred from revealing they had been served6.

What changes does Bill 73 introduce?

Moving quickly to blunt both public criticism of international outsourcing, as well as the reach of problematic foreign long-arm statutes, the BC legislature enacted Bill 73 without even waiting for the release of the Commissioner's report. The Bill expands the scope of the FOIPP Act in three important areas.

First, the Bill applies the provisions of the FOIPP Act beyond the public sector. The Act now applies not only to personal information in the custody and control of public bodies, but also to personal information in the custody and control of organizations that provide services to public bodies, even if these organizations are not public7. This principle does not substitute for the rule that a data collector remains responsible for personal information that it may disclose to third parties for processing8, but rather creates joint responsibility for the data collector and the service provider where those parties are different, and clarifies responsibility where the service provider collects personal information on behalf of the public body. The amendments also reinforce the government's responsibility to publish directories of personal information in its custody and control, even if the information is effectively held by service providers9. Additionally, these directories must include summaries of applicable information-sharing agreements and privacy impact assessments.

Second, Bill 73 makes individuals liable for contraventions of the Act. The scope of personal liability for contraventions of the Act applies to employees, officers and directors of public bodies and to employees or associates of service providers10. It is now an offence to contravene notice requirements for foreign demands for disclosure, the whistle-blower provision or the restrictions placed on storing, accessing or disclosing personal information outside Canada11. Before this latter amendment, unauthorized disclosures of personal information could only be the subject of a complaint to the Commissioner.

Third, the Information and Privacy Commissioner now has the authority to issue binding orders against service providers regardless of whether they are public or not12, though the Act still lacks a mechanism for enforcement, including any method by which orders can be filed in court by the Commissioner13.

The order-making power and the expanded scope of the Act to cover some private actors blurs the line between public sector and private sector privacy laws14. This will create overlapping jurisdiction where private sector service providers have public sector clients. For example, a publisher that outsources management of its subscription database to a foreign service provider remains federally and provincially responsible under statute for the fair handling of that information, but is not required to seek special permission to have it processed outside the jurisdiction15. Should that same publisher collect alumni information from a university that has contracted it to manage their fundraising campaign, the publisher would be obligated to only process that personal information in Canada, unless an additional, specific consent was received from the alumni.

Notice requirements

The Act now requires that public bodies and their service providers report foreign or suspected foreign "demands for disclosure" to the Minister responsible for the Act16. Under the Act, a foreign demand for disclosure means a subpoena, warrant, order, demand or request from a foreign court, agency or other authority to make a disclosure not authorized under the Act17.

A foreign demand for disclosure also includes any authorized disclosure, production or access to personal information that is made or suspected to be made for the purpose of responding to a foreign demand for disclosure18.

Storage, Access and Transborder Disclosures

The Act now requires that a public body ensure that personal information in its custody or control is stored only in Canada, unless the data subject has identified the information and consented to it being stored in or accessed from another jurisdiction19.

This amendment draws a distinction between allowable disclosures within and outside of Canada: in the case of the former, the categories have remained largely unchanged20. Notably, Bill 73 repeals a provision which had previously allowed disclosures outside of Canada for uses which were consistent with the purpose for which the information had been collected21. Disclosures for consistent purposes are still allowed within Canada22.

The Bill also prohibits disclosure for the purpose of complying with a subpoena, warrant or order issued or made by a foreign court, person or body with jurisdiction to compel the production of information; disclosures within Canada for these purposes are allowed23. In his report on the Patriot Act, the Commissioner considered this limitation to be implicit in the old s. 33(e). The validity of this interpretation has not been tested in the courts but, if true, would make personal information collected by organizations not subject to the FOIPP Act resistant to foreign demands for disclosure under a sister provision in the provincial private sector privacy law24.

Whistle-blower protection

The government's adoption of whistle-blower protection is an important development. Employees who, acting in good faith and on reasonable belief, report contraventions of the Act by their employer, or others, to either the Minister responsible or to the Commissioner, are protected from retribution. This protection extends also to employees who act or state that they will act to do anything required to be done to avoid having any person contravene the Act, or have refused to aid others to contravene the Act25.

Criticisms of the Bill

The Commissioner has commended the provincial government for taking a leadership position in addressing some of the problems associated with outsourcing, but for service providers, unions and privacy advocates alike, the Bill 73 amendments leave much to be desired.

The amendments do little to alleviate the legal uncertainty around transborder outsourcing. A number of public employee unions, including the BCGEU, have levelled the criticism that since the Patriot Act requires U.S.-linked companies to disclose personal information in response to national security letters, irrespective of what Canadian law might require those companies to do, the Bill 73 amendments simply place those companies in legally untenable situations. That is, if a U.S. law enforcement or intelligence agency serves one of these companies with a demand for disclosure under the Patriot Act, and the company complies by disclosing the personal information of Canadians to the requester, it may contravene the Bill 73 prohibitions, but if it fails to comply with the demand, it will contravene the U.S. law and risk prosecution in that country.

The amended statute leaves the door open for transborder disclosures by domestic or to foreign law enforcement agencies while hindering the legitimate free-flow of data for commercial purposes. For example, the amendments do not repeal or narrow permissible disclosures by anyone of personal information outside Canada under a treaty, arrangement, agreement or provincial or Canadian enactment26. Further, the provision requires no independent oversight of disclosures by domestic or to law enforcement agencies. Domestic agencies, from the RCMP to municipal police forces, can make such disclosures, directly and without restriction, to a foreign law enforcement agency under any "arrangement, written agreement, a treaty or provincial or Canadian legislative authority"27.

The non-disclosure provisions of the Act come into force gradually and do not apply to contracts signed before October 12, 2004 or October 19, 2004, depending upon the category of public body which entered into the agreement. The old disclosure rules apply to all earlier contracts and since many of those contracts will likely continue to be enforceable for some time, this effectively creates two independent contractual regimes. Second, different rules apply to transborder disclosures of personal information collected by or on behalf of public bodies compared to that collected on behalf of private sector organizations. Third, the federal private-sector privacy law also applies to all transborder outsourcing28, notwithstanding a recent decision by the federal government that BC's private-sector privacy act is otherwise exempt because it is "substantially similar" to the federal law29.

Endnotes

  1. Bill 73, Freedom of Information and Protection of Privacy Amendment Act, 5th Sess. 37th Parl., British Columbia, 2004 (as passed by Legislature 19 October 2004.
  2. R.S.B.C. 1996, c. 165 [FOIPP Act].
  3. British Columbia, Information and Privacy Commissioner, Privacy and the USA Patriot Act, (Victoria: OIPC, 2004), online: OIPC http://www.oipcbc.org/ [Commissioner's Report].
  4. Pub. L. No. 107-56, 115 St. 272, s. 218.
  5. The Department of Homeland Security has added a number of new categories to its internal record-keeping system for tracking actions that, in its view, are in some way related to terrorism, including one for "anti-terrorism" which according to the Department's data manual covers immigration, identity theft, drug and other such cases brought by prosecutors that were "intended to prevent or disrupt potential or actual terrorist threats where the offence conduct is not obviously a federal crime of terrorism".
  6. Doe v. Ashcroft, No. 04 Civ. 2641, slip op. at 113 (S.D.N.Y. Sept. 28, 2004).
  7. FOIPP Act, supra note 2, s. 3(1)(c) The definition of organizations includes persons.
  8. Ibid., s. 32 and s. 34(1).
  9. Ibid., s. 69(2).
  10. Ibid., s. 42(1)(b) and s. 42(2)(e).
  11. Ibid., s. 74.1(1).
  12. Ibid., 58(3)(e), s. 58(5) and s. 59(1).
  13. Ibid., s. 58(3)(e).
  14. Personal Information Protection Act, S.B.C. 2003, c.63 [PIPA].
  15. Ibid., s. 15(2)
  16. FOIPP Act, >supranote 2, s. 30.2(2).>
  17. Ibid., s. 30.2(1).
  18. Ibid., s. 30.2(b).
  19. Ibid., s. 30.1
  20. Section 33.2(f) provides for disclosures "to the auditor general or any other prescribed person or body for audit purposes".
  21. FOIPP Act, supra note 2, s. 33(c).
  22. Ibid., s. 32.2(a).
  23. Ibid., s. 33.2(b).
  24. PIPA, supra note 14 at s. 18.
  25. FOIPP Act., supra note 2m s. 30.3(a)-(d).
  26. Ibid., s. 33.1(c)-(d).
  27. Ibid., s. 33.1(2).
  28. Personal Information Protection and Electronic Documents Act.
  29. "Organizations in Alberta and British Columbia Receive Exemption from Federal Personal Information Protection Legislation" Canada Newswire (3 November 2004), online: Canada Newswire http://www.newswire.ca/en/releases/archive/November2004/03/c8042.html.
Please contact James Kosa for more information.

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.

By Editors
Deeth Williams Wall November 10, 2004 November 10, 2004 September 23, 2015
Outsourcing