The Implications of the U.S. Patriot Act on Outsourcing by
Download
Report
Transcript The Implications of the U.S. Patriot Act on Outsourcing by
Cross-Border Privacy Issues and
the USA Patriot Act
Presentation for INSIGHT
Montréal
December 7-8, 2005
Charles Morgan
3662864
Overview
I
Overview of the USA PATRIOT Act
II Recent Cross-Border Privacy
Developments
III Impact and Mitigation of Risks
I
Overview of the USA PATRIOT
Act Implications for CrossBorder Privacy
What is the U.S.A PATRIOT Act?
•
“Uniting and Strengthening America by Providing Appropriate Tools
Required to Intercept and Obstruct Terrorism”
•
Anti-terrorism legislation enacted by the U.S. Congress shortly after
September 11, 2001.
•
Expands the intelligence-gathering and surveillance powers of law
enforcement and national security agencies by amending the U.S. Foreign
Intelligence Surveillance Act (“FISA”).
•
FISA grants U.S. authorities the power to gather intelligence on foreign
agents in the U.S. and abroad.
•
Under FISA, the Foreign Intelligence Surveillance Court (“FIS Court”) has
the power to issue secret ex parte orders allowing U.S. authorities to
gather information from third parties.
•
Failure to comply with a FISA order and to keep its existence secret, is an
offence in the United States.
U.S.A PATRIOT Act: s. 215
• Section 215 of the Patriot Act did not create a new
jurisdiction to compel the production of records, but rather
amended a pre-existing provision of FISA.
• Three changes were made:
Prior to the enactment of s.215, the FIS Court could compel
common carriers, public accommodation facilities, physical storage
facilities or car rental facilities to produce their business records.
Section 215 now authorizes the production orders to any person or
entity;
Section 215 modified the former requirement that the information
sought related to “a foreign power or an agent of foreign power”. It
now applies to any individual or organization that is relevant to an
investigation of “international terrorism or clandestine intelligence
activities”; and
Section 215 changed the scope of items that may be obtained from
“records” to “any tangible things” (including books, papers, records,
documents, and other items”).
U.S.A PATRIOT Act: s. 218
• Section 218 has changed the standards used by
the FIS Court before approving an application for
electronic surveillance or physical search. The
previous standard required certification by a
security official that the physical search or
electronic surveillance was for the sole purpose
of foreign intelligence information. Section 218
now expands the criteria by requiring that a
significant purpose of the intended surveillance
or search is to obtain foreign intelligence
information.
National Security Letters
• Section 505 amends certain provisions of the
Electronic Communications Privacy Act, the Right to
Financial Privacy Act, and the Fair Credit Reporting
Act making it easier to obtain National Security
Letters (“NSLs”).
• A NSL is an administrative subpoena that permits an
FBI supervisory official to request particular
records that relate to counterintelligence or
terrorism investigations from third parties, such as
telephone and Internet activity records (available
under 18 USCS § 2709), as well as financial and
credit records from banks and other financial
institutions (available under 12 USCS § 3414).
National Security Letters
• The Director of the FBI may now issue an NSL
permitting the FBI to obtain certain records in
circumstances where those materials are “relevant to
an authorized investigation to protect against
international terrorism or clandestine intelligence
activities”.
• A recent case held that the secrecy associated with
NSL process is inconsistent with the First Amendment
to the US Constitution. Doe and ACLU v. Ashcroft ,
2004 U.S. Dist. Lexis 19343 (S.D.N.Y. 2004)
Jurisdiction to Make Production Orders
• The test is one of control of the documents
sought to be produced.
• The expression “control” means not only the legal
right to obtain the documents but also whether
the United States business has “access to the
document” or “the legal right, authority or
practical ability to obtain the materials sought
upon demand”.
• Neither location within the US or actual
possession by the US entity is necessary.
Jurisdiction to Make Orders to Produce
Documents Held by Affiliate Entities
• “Courts in the United States have
generally held United States
corporations responsible for production
of documents located abroad in the
possession of their foreign branches or
subsidiaries, unless a defence, such as
an effective blocking order, is applicable
where the information is located.” The
Restatement (Third) of the Foreign
Relations Law of the United States
New Act, Old Concept
• Once personal information about Canadians is transferred
outside Canada the laws of the country to which the
information has been transferred will generally apply to
determine when government agencies and authorities can
obtain access to that personal information.
• The USA PATRIOT Act is relatively new, but the concept
behind the legislation is not. The Act is one example of a
law that can give the US government or its agencies
access to personal information about Canadians that has
been transferred to the United States, e.g. National
Security Letters, grand jury subpoenas.
MLAT Alternative
• If the FBI desires to obtain records
held by a Canadian affiliate of a U.S.
company, it would be likely to rely
on the bilateral treaty between the
United States and Canada known as
the Mutual Legal Assistance Treaty
(the "MLAT”).
II
Recent Cross-Border Privacy
Developments
Recent Cross-Border Privacy
Developments
• There have been 3 Patriot Act-related
events in BC worth briefly mentioning
Privacy Commissioner report on public sector
outsourcing and the Patriot Act
Freedom of Information and Protection of
Privacy Act (“FOIPPA”) amendments
BC government litigation re: Ministry of
Health outsourcing
BC Information & Privacy
Commissioner’s Report
• After receiving more than 500 submissions from across Canada,
the Information and Privacy Commissioner of B.C., David
Loukidelis, released the Patriot Act Report on October 9, 2004.
• Commissioner concluded that FOIPPA required public bodies,
directly or through their contractors, to implement reasonable, but
not absolute, security arrangements to protect personal
information against risks, including risk of unauthorised disclosure
• The Commissioner concluded there is a “reasonable possibility”
that the FIS Court would issue a FISA order requiring a U.S.located corporation to produce records held in Canada by its
Canadian subsidiary.
• Despite this concern, the Commissioner also concluded that a ban
on outsourcing would neither be practical nor effective. Instead,
he recommended that other measures be implemented at
legislative, contractual and practical levels to mitigate, though
probably not eliminate, the risk of unauthorized disclosure in
response to a FISA order or national security letter.
Potential Scope of the Order
• “Any data transmission to or through the U.S. would be
subject to electronic surveillance provisions of American
law. Depending on how outsourcing contracts are
written, they may permit electronic transmission of data
to or through the U.S. This could happen on data backup
or processing, or simply by internet transmissions routed
through the U.S. The broad surveillance provisions of the
USA Patriot Act, now available for purposes other than
investigating terrorism, would then jeopardize the privacy
rights of British Columbians .” Patriot Act Report at p 72
citing submission of the BC Government and Services
Employee’s Union
Effect of Contractual and Practical Steps
to Avoid Disclosure
•
“We do not suggest that public bodies cannot or should
not implement contractual or practical arrangements relating
to control. To the contrary, we recommend that such
arrangements be put into place. This is because, despite the
cases in which corporate ownership is enough to establish
control over records, other cases suggest that such measures
might influence the control issue.”
•
“Any contractual and practical measures to keep
personal information out of the control of a US-located parent
corporation would also speak to British Columbia public policy
respecting the privacy of personal information. This is important
because, even if a US court decides that records located outside
the US are controlled by a US-located corporation, it will apply
a balancing test to decide whether it should order disclosure in
the face of foreign law that prohibits disclosure.” Patriot Act
Report at 120-121
FOIPPA Amendments
• In the Fall of 2004, prior to the release of the
Commissioner’s report, the B.C. government
made several amendments to FOIPPA, including:
personal information, including information that is
disclosed to service providers, in the custody or control
of a public body must be stored and accessed only in
Canada, unless specifically stated otherwise;
limits purposes for which a public body may disclose
personal information outside of Canada;
no grandfathering: the public authority shall use all
reasonable efforts to comply with the new disclosure
rules as soon as reasonably possible;
FOIPPA Amendments
requires public bodies and service providers to report
to the Minister any foreign demand for unauthorized
disclosure of personal information (i.e. not authorized
under FOIPPA)
a new “whistle-blower” protection has now been
implemented for individuals who report a foreign
demand for disclosure of personal information; and
additional offences have been created for violation of
the new privacy protection provisions (for example,
fines of up to $500,000 for a corporation, up to
$25,000 for a partnership or individual service
provider, and up to $2,000 for an employee).
The Maximus Decision
• March 14, 2005 decision, BC Government Service
Employment Union v. British Columbia (Minister of Health
Services) (“Maximus”) considered the Patriot Act and
outsourcing in British Columbia.
• Petition by the BCGEU to stop the outsourcing of certain
health benefit operations by the British Columbia
government to British Columbia subsidiaries of a U.S.
publicly traded company (MAXIMUS Inc.).
• The union’s petition was dismissed on other grounds, but
court went on to consider the privacy issues raised by the
union.
Maximus privacy findings
• The following paragraphs from Justice Melvin’s decision
highlight the relevance in Canada of the Patriot Act but at
the same time make it clear that the Patriot Act is not a
bar to outsourcing transactions in Canada:
“[65] Accepting that a FISA court in the United States,
acting under s. 215 of the Patriot Act, would order Maximus
U.S. to produce records and further accepting that the order
would have extra territorial application in respect of Maximus
U.S. subsidiaries, the issue still is which records are under
control of Maximus U.S. and does Maximus U.S. have
access? The opinions differ. However, I accept that the
contractual provisions, the corporate structure, and the
legislative provisions provide more than reasonable security
with respect to records in British Columbia.”
Maximus privacy findings
“[67]
Although the experts’ evidence differs as to
whether or not there is a likelihood of a U.S. Patriot
Act application and order under s. 215 in relation to
Maximus U.S. or any of its Canadian subsidiaries, and
the effect of that order, in my opinion when one
analyzes the contract and the legislation it is clear that
parties to this arrangement have taken all reasonable
steps to ensure the confidentiality of the information
which Maximus will receive in order to discharge its
contractual obligations. Privacy is not absolute.”
Other Recent Activity
• Events relating to the Patriot Act in Canada have not been
exclusive to British Columbia.
• In December, 2004 the government of Alberta announced
that they would be conducting their own review of the
Patriot Act and its impact on privacy in Alberta.
• The federal government also announced in early 2005 that
they were considering implementing contractual provisions
going forward that would address Patriot Act concerns.
• In October 2005, Jennifer Stoddart announced that the
federal (public sector) Privacy Act should be substantially
amended in light of recent developments
« privacy threats multiplying like a bad virus, threatening to overwhelm us... »
« voracious appetite for personal information and surveillance in post-9/11 environment »
• Amendments to FOIPPA amendments under consideration
III Impact and Mitigation
of Risk
Impact?
• Level playing field as between
« entirely Canadian » corporate
structures and Canadian subsidiaries
of US entities?
• Structural and contractual
adjustments
• Free transborder flow of personal
information will be slowed/curtailed
Eliminate Access by US Entities
• Prevent U.S. entities from having access to or
control over personal information.
• Consider need to prevent access by US
employees and contractors.
• Contracts between employees and US parent
should address handling of data including
restrictions on disclosure to U.S. entities.
• Employees should receive appropriate training
regarding the applicable processes relating to
access to and control of data.
Technical Measures
• Use technical and business processes that limit
the likelihood that information will used other
than as desired.
• Identify and segregate personal data.
• Limit access to those persons with a need to
know to reduce the risk of intentional or
inadvertent disclosure.
• Use appropriate security mechanisms to limit
data being removed from premises in physical
or electronic forms.
Structural Approaches
• Contractual relationships in which Canadian data is
accessible only by an entity unrelated to any U.S.
company, and a U.S. company by contract provides
services or support to the Canadian entity.
• Corporate structural approaches in which the Canadian
data is accessed by an entity that is an affiliate of the
U.S. company but over which the U.S. company does
not have control e.g., proxy relationships, limited
partnerships, non-voting equity structures, etc.
Contractual Obligations with US Provider
• Some US cases suggest that contractual or practical
arrangements may influence a US court’s findings
regarding control and be effective.
• Use contractual terms to ensure that the customer has the
exclusive right, power and authority to control the use and
disclosure of personal information to third persons, and to
obtain agreement that physical possession of personal
information is provided to the outsourcer/service provider
as a trustee for the sole benefit of the customer solely to
provide the services.
• A court could declare the contractual restrictions to be
void as against U.S. public policy or might refuse to
enforce the provision.
Notify Customers and Obtain Consents
• Notify customers that the information may be
available to the US government or its agencies
under a lawful order made in that country
• Consider referencing « compliance with Canadian
law » in consent as a further barrier to
unfettered response to USA Patriot data request
Q&A
Charles Morgan is a partner in our Business Law Group in
Montréal. In his corporate/commercial practice, Mr. Morgan
focuses on the areas of information technology, electronic
commerce, intellectual property, data protection and
telecommunications.
CHARLES MORGAN
Partner
Mr. Morgan assists his clients in a broad range of matters
including the transfer of technology, distribution, intellectual
property management issues, protection of privacy matters,
joint venture and strategic alliance arrangements, as well as
issues related to the Internet and e-commerce.
Mr. Morgan is sought after by clients to provide both
immediate issue-related privacy advice, as well as longer-term
privacy policy counsel.
Mr. Morgan is one of two current Canadian contributors to
the serial Data Protection Laws of the W orld (Sweet &
Maxwell; 2000) and a contributor to the book T he Law of
Privacy in Canada (Carswell, 2000). In addition, Mr. Morgan is
co-author of the following books: Cyberlaw: W hat You N eed to
Know about Doing Business Online (Stoddart; 1997); Cyberlaw:
A Guide for South A fricans Doing Business Online (Ampersand;
1999); and Communications Law in Canada (Butterworths;
2000).
Mr. Morgan frequently speaks at conferences on matters
related to his practice areas, including data protection,
communications, technology and copyright law.
Office:
Direct Line:
E-mail:
Year of Call:
Montréal
514.397.4230
[email protected]
1998