It came up in the research of a story on outsourced backup I filed recently. Steve Rodin, president of backup service provider Storagepipe, mentioned that his company’s Canadian location was attractive to some U.S. companies because “we’re not subject to the Patriot Act,” and that there’s a fundamental conflict between that American legislation and Canada’s PIPEDA privacy protection law.
I consulted a lawyer — as one does — who only had time for a brief comment before my deadline. But James Kosa, an associate with Deeth Williams Wall in Toronto, did get back to me with a more detailed response. So did Jason Young, another Toronto lawyer with considerable tech industry expertise. I asked two questions of each: Is a U.S. firm’s data safer from national security letters under Section 215 of the Patriot Act if it is backed up offsite in Canada? And is there a fundamental contradiction between the Patriot Act and PIPEDA?
Q. Is a U.S. firm’s data safer from national security letters under Section 215 of the Patriot Act if it is backed up offsite in Canada?
Kosa: It depends.In most cases, the fact that it was stored in Canada would be irrelevant. The question is whether the entity having access and control of the data is subject to U.S. law.
PIPEDA specifically contemplates allowing access to personal information where it is requested by a government institution “for the purpose of enforcing any law of […] a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law”. If a U.S. company is the subject of a request under U.S. law, such as under the Patriot Act, to disclose information that is located in Canada but otherwise under the care and control of the U.S. company, it would likely not be in breach of PIPEDA, but would likely face the consequences in the U.S. if it does not comply with the request.
Some provinces have enacted legislation that makes the situation more complicated. For example, in B.C., provincial privacy legislation prohibits disclosure of personal information in response to a subpoena, warrant or order issued or made under foreign law. A company that breaches this law may face large fines. This may mean that a company and its subsidiaries or agents may be subject to both the Patriot Act and Canadian privacy laws, and may not be able to comply with one law without defying the other.
Young: Any firm doing business in the U.S., including any firm that has assets in the US even if they don’t regularly do business there, would be subject to U.S. law and required to comply with an NSL (national security letter) filed under the Patriot Act. The requirement for the firm to produce the information would not be affected by the fact the data was backed up in Canada.
Q. Is there a fundamental contradiction between the Patriot Act and PIPEDA?
Kosa: The Patriot Act and PIPEDA serve fundamentally different purposes. The Patriot Act is designed to increase the tools available to law enforcement to combat crime, and to increase the penalties for certain crimes, with the goal of fighting terrorism. This is clear from the preamble of the act, which reads: “An Act to deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigatory tools, and for other purposes.” It authorizes increased surveillance powers and provides law enforcement with broad powers to access information, including personal information, business records, and other confidential information.
In contrast, PIPEDA is an act specifically designed to protect personal information from unauthorized collection, use and disclosure by private companies. The whole point is to make it harder for an entity to access personal information. Though it does not specifically prevent law enforcement from accessing personal information, it is part of a larger set of privacy legislation that protects personal and business information.
Young: I would not go so far as to say there is a contradiction between PIPEDA and the ability for law enforcement to gain access to personal information held by businesses under authority of the Patriot Act or another statute. PIPEDA does not prohibit cross-border disclosures or transfers and contains exceptions for disclosure of personal information without consent, including exceptions for disclosures required by, or to enforce, domestic or foreign laws.
However, there is friction between the principles in PIPEDA which require organizations to seek the informed consent of individuals when using and disclosing individuals’ personal information and the Patriot Act’s broad grant of authority to compel individuals’ personal information from organizations. The chief criticism of Section 215 has been that it allows the FBI to seek personal information from U.S. organizations for almost any reason and with very little judicial oversight. This was not the original intent of the law and stands in contrast to our system of judicial oversight for search warrants in Canada.