THE U.S.A. PATRIOT ACT: PRIVACY IMPLICATIONS FOR CANADIANS
By Micheal Vonn, Policy Director, British Columbia Civil Liberties Association
In the fall of 2004, the Information and Privacy Commissioner for British Columbia released a much-anticipated report on the privacy implications of public sector outsourcing to U.S.-linked companies. The report deals specifically with the privacy implications of releasing personal information to companies that are subject to the U.S.A. Patriot Act. The report was apparently unprecedented and eagerly awaited in jurisdictions as far away as Europe.
The report was triggered by the proposal of the British Columbia Government to contract out the administration of BC’s public health insurance program. In the summer of 2003, the BC Ministry of Health put out a request for proposals seeking a private partner to take over the administration of the BC Medical Services Plan (MSP) and Pharmacare. The Province selected Maximus, a private American company with a Canadian subsidiary.
The British Columbia Government Employees’ Union (BCGEU) mounted a court challenge to this contracting out. The challenge is a judicial review of the Province’s decision to contract out based on two grounds: 1) an argument that the contracting out contravenes the “public administration” requirement of the Canada Health Act; and 2) that the contracting out violates the BC Freedom of Information and Protection of Privacy Act (FOIPPA).
The second issue, about privacy protection, galvanized a group of community organizations to put together a campaign to bring the matter to the attention of the public. This group, the Right to Privacy Campaign, was spearheaded by the British Columbia Persons with AIDS Society whose members, being vulnerable to discrimination on the basis of health status, are deeply concerned about unauthorized disclosures of personal heath information.
The USA Patriot Act
The USA Patriot Act is a piece of American “anti-terrorism legislation”. Section 215 of the Patriot Act authorizes the FBI to obtain orders from a secret intelligence court (the Foreign Intelligence Surveillance Court) requiring any person or organization to disclose “any tangible thing”. “Any tangible thing” could include entire databases of records. This section and similar provisions in the Act are sometimes called “sneak and peek” provisions because the surveillance and seizures are secret. The provisions include a “gag order” that forbids a person who has been served with an order from telling anyone about it. There is thus no way to know that the U.S. authorities have obtained your information and no ability to challenge the seizure of information.
This kind of legislation is a very radical departure from the traditional checks on democratic governments’ power to search and seize. In addition to the “gag order” and the secrecy of the court, there is also no requirement for reasonable and probable grounds to be shown in order to obtain the authorization for the search and seizure. The FBI can obtain authorization from the secret court without demonstrating that the surveillance target is suspected of engaging in criminal activity or espionage.
To understand what is at stake, privacy-wise, in terms of unauthorized disclosures to the American authorities, the MSP and Pharmacare databases include information about British Columbians’ health treatments, prescription drugs, net income, mental health history, criminal records and records from the Ministries of Children and Families and Human Resources.
If the FBI were to seize the MSP database, that database could, through the operation of another piece of American anti-terrorism legislation called the Homeland Security Act, be put into classified centralized databanks that are routinely available to various law enforcement agencies and other agents of the American government.
And just incidentally, Maximus, the company that the provincial government choose to outsource to, is an intimate partner in the American homeland security apparatus, stating on their company website that it is an “…outreach company for homeland security [Act] information sharing.” That particular quote was cited in a Right to Privacy Campaign press release, after which that portion of the company’s website was edited to eliminate the quote that appeared in the press release.
However deeply embedded in U.S. homeland security the company in question may be, there is nevertheless no question that section 215 of the Patriot Act authorizes the FBI to get access to records held by any companies in the United States. There is, however, a question about whether that access extends to American companies operating in other countries, countries that are not subject to American law.
Jameel Jaffer, lawyer for the American Civil Liberties Union, stated in his expert opinion that whether an American company would be required under the Patriot Act to produce the records of a Canadian affiliate could depend on factors such as the specific legal relationship of the two corporations and on whether the American company could access and obtain the information sought.
When the BC Privacy Commissioner initiated a public inquiry into the implications of the Patriot Act on public sector outsourcing, the first question on which submissions were requested was the question of whether the reach of the Patriot Act extended to Canadian affiliates of U.S. companies.
The Privacy Commissioner’s Report
The Privacy Commissioner’s Report took longer than expected to complete because of the overwhelming number of submissions received. The Commissioner received over 500 submissions from Canada, the U.S. and Europe. The submissions came from privacy groups, health care providers, labour organizations, governments, library associations, information technology companies, concerned citizens, civil liberties organizations, the FBI and the U.S. Department of Homeland Security. From these submissions, and with the assistance of expert legal advisors, the Privacy Commissioner wrote a 151 page report which appears to be the most thorough assessment of the issue to date.
The central finding of the report is that there is a reasonable possibility that the U.S. Foreign Intelligence Surveillance Court that issues orders for the FBI would authorize an order requiring an American company to produce records held in Canada by a Canadian subsidiary. That there is only an ability to determine whether there is a reasonable possibility of this occurring has everything to do with the matter falling under the rubric of “anti-terrorism” which almost guarantees that the relevant facts will be shrouded in secrecy.
The US Department of Justice claims that the information as to even how often
Section 215 of the Patriot Act has been use is “classified”. In July 2004, a US
Legislative effort to prevent s. 215 from being used in order to demand records from libraries was defeated. While members of the American Library Association say that they suspect that the government has been using the Patriot Act to access library records, that is based on anecdotal evidence. In the face of a refusal to “declassify” even the number of times the provision has been used, the only evidence available is anecdotal. Anyone who has been served with such an order is “gagged” by the provision from disclosing the fact.
So, there is no way to know if s.215 of the Patriot Act has ever been used to access records in Canada or for that matter, exactly how the secret court would assess such a request from the FBI.
The Province of British Columbia, in its lengthy submission to Privacy Commissioner, argued that the risk of the operation of the Patriot Act allowing US authorities to access our personal information is merely “a small incremental risk” and even the small risk is diminished because the U.S. is obliged by treaty to go through proper channels for access to such information and it would be a diplomatic scandal if they circumvented the established protocol. The argument being, in short: they (almost) can’t and at any rate, they wouldn’t. The Privacy Commissioner’s findings were that the evidence and information available indicates rather that they can and they would.
Even outside the provisions of the Patriot Act, in the regular course of affairs, U.S. courts and grand juries have made orders in relation to records located in Canada and other countries. Some American courts have upheld subpoenas ordering American companies to disclose records located outside the U.S., even where the records were located in countries that had laws prohibiting the disclosure of the records. The Privacy Commissioner reasoned that there is no indication that such extra-territorial orders will not be sought (or have not been sought already) by the FBI and every likelihood that such orders would be authorized given that the Foreign Intelligence Surveillance Court is virtually guaranteed to give greater weight to perceived U.S. national security concerns than to Canadians’ privacy protection.
In answer to the second question posed in the Inquiry’s request for submissions, the report concluded that a disclosure of records to the FBI is “unauthorized disclosure” under the BC public sector privacy legislation. Therefore, public bodies, directly and through their contractors, must implement reasonable security arrangements to protect personal information against this risk.
Which of course begs the question, what constitutes a “reasonable security measure” in this circumstance?
Many of the submissions to the Privacy Commissioner said that there should be a ban on outsourcing personal information to non-Canadian companies, but the Privacy Commissioner did not recommend such a ban. The report states that a ban would be impractical because in order to be effective, it would have to extend beyond American companies and cover all Canadian companies that have U.S. subcontractors or employ U.S. nationals or who employ subcontractors who employ U.S. nationals.
While not recommending a ban on outsourcing, the report does make a comprehensive series of recommendations for protecting privacy in the face of what some have called “the long-arm of the USA Patriot Act”. These recommendations include:
amendments to existing provincial and federal privacy legislation for both the public and private sector;
that the federal and provincial governments seek assurances from the U.S. that the Patriot Act will not be used to access personal information records in Canada;
that public bodies that outsource implement independent compliance audits of privacy protections;
that there be audits of information-sharing agreements between Canada and the U.S. and data mining activities of public bodies;
that Canada negotiate with foreign trade partners (including the World Trade Organization) to ensure that trade agreements and treaties do not impair Canada’s ability to enact privacy protections in accordance with Canadian values;
that Canada advocate with the U.S. and Mexico for comprehensive transnational data protection standards and for multilateral agreements respecting control and oversight of transnational information sharing for governmental purposes, including national security and public safety purposes.
What’s Happened Since the Report Came Out?
Immediately on the release of the Privacy Commissioner’s report, the Provincial Government, which had carried on with its outsourcing contract negotiations while the report was pending, announced itself vindicated because the Privacy Commissioner had not recommended a ban on outsourcing. Apparently ignoring virtually every other aspect of the report, including the risk assessment and the comprehensive recommendations, the Province immediately signed a contract with Maximus.
It should be noted that prior to the Privacy Commissioner’s report being released, the Province did make some significant changes to the provincial public sector privacy legislation. All of the changes are welcome additions to privacy protection, but the question is whether they do, as the Province claims, guard sufficiently against the exercise of the Patriot Act.
From the Privacy Commissioner’s perspective, they do not. The Commissioner has stated that further amendments are needed to clarify the conditions under which information can be disclosed outside of Canada and the rules for information sharing. Among other concerns, the Commissioner called for further amendments to make an express and direct legislated prohibition against disclosure in response to foreign court orders and for implementation of contractual and practical arrangements to address unauthorized disclosure or access.
The outsourcing of the MSP and Pharmacare administration has sparked other inquiries into the issue of the vulnerability of Canadians’ information to the Patriot Act. The Vancouver Sun, Dec. 18, 2004 sported the front page headline: “U.S. law ‘threatens Canada’s secrets’”. The news story reported on the findings of a team of Canadian government lawyers who studied the vulnerability of the country’s “top secret” data, including highly sensitive personal, military and national security information. The government lawyers’ findings echoed those of the BC Privacy Commissioner: information held by U.S.-linked companies is at risk.
That particular news story mentions that American firms currently have access to the personal information of hundreds of thousands of Canadians, including students with student loans. We might ask ourselves whether the FBI, in the interests of U.S. national security, would be at all interested in knowing that Janie Bloggs of Saint John, New Brunswick owes $10,000 in student loans.
That issue came up tangentially in the Privacy Commissioner’s report. One of the factors that the report notes in the risk assessment is the extent to which the U.S. has demonstrated a voracious appetite for the acquisition of personal data in its efforts to prevent terrorism. As the British Columbia Civil Liberties Association noted in its submission to the Privacy Commissioner, “[t]he US has invested very heavily in an information-based approach to stopping terrorism. The US General Accounting Office report of May 2004 enumerates almost 200 data-mining initiatives of the US government…”.
Data mining is the extraction of information from large volumes of data by techniques such as statistical analysis and modeling. As stated in the Privacy Commissioner’s report:
A key characteristic of data mining is that analysis of an individual’s personal information creates new, secondary, information about that person. The “hidden patterns and subtle relationships” that data mining detects are recorded and become personal information of the individual whose life is being scrutinized and analyzed. Information about an individual’s credit history, credit card purchases, law enforcement record or interactions, travel habits and so on may be mined to derive the finding that she is a possible terrorist or should be put on a terrorist watch list and kept under surveillance.
Given the degree to which racial profiling appears to be a key element of “information-based security” as it is currently practiced, it is not difficult to guess some of the “flags” likely being used in these initiatives. The New York Times reported last year that the U.S. Census Bureau has provided the U.S. Department of Homeland Security with a ZIP-code level breakdown of every Arab-American citizen sorted by country of origin.
And as touched on above, what we are discussing is most certainly not confined to issues of terrorism, even though it springs from so-called “anti-terrorism legislation”. Centralized databanks authorized under the US Homeland Security legislation and other data sharing arrangements allow broad access to data, especially to ordinary law enforcement authorities.
In reporting on the uses of the Patriot Act that are not “classified”, the U.S. Department of Justice is quite explicit that the Patriot Act is “bringing down the wall” that used to prevent law enforcement and intelligence gathering agencies from sharing information. The Patriot Act has been used to a very great extent for ordinary criminal investigations and surveillance that has nothing whatsoever to do with “terrorist” activities.
In short, there is a lot of evidence to suggest that, as was feared, “sneak and peek” surveillance provisions and other extraordinary “anti-terrorism” measures are being used to water-down or do a complete end-run around traditional protections against the abuse of state power; protections such as checks and balances, due process, “reasonable and probable grounds” and judicial oversight. This is a much broader issue, of course, than the issue of the privacy implications of the Patriot Act, but it illustrates the many ways that our personal information could be of interest to U.S. authorities. Outside of the vast and increasingly amorphous definition of what constitutes “national security”, parties likely to have an interest in Canadian personal information include ordinary U.S. law enforcement, customs and immigration authorities and the American Internal Revenue Service.
Update on Where We Stand Now
On the U.S.-side of the equation, there has been a very interesting development in a U.S. Federal Court decision in the fall of 2004 that struck down an entire provision of the Patriot Act. The American Civil Liberties Union has legally challenged the constitutionality of several provisions of the Patriot Act, including s.215 which is discussed in this paper. The provision that was recently struck down is s.505 which deals with “National Security Letters”. These are orders which require Internet Service Providers and other businesses to hand over sensitive customer records under a “gag order” and without the ability to challenge the order in a court. So, basically a “sneak and peek”, the same essential mechanism as under s.215.
This is the first ruling to strike down any of the surveillance powers authorized by the Patriot Act. And the assumption is that the U.S. government will appeal the decision all the way up to the U.S. Supreme Court. But, that said, what the decision says is very important. The court found that the gag order was an “unconstitutional prior restraint” on free speech and the provision itself a violation of the right to be free from unreasonable searches as provided for in the U.S. Constitution. 
Canada-side, Canadian Treasury Board President, Reg Alcock, has said that he has ordered federal departments and agencies to look at all contracts with private companies to determine what information could be vulnerable to the operation of the Patriot Act. Mr. Alcock has also said that the federal government raised the issue during the U.S. President’s recent visit to Ottawa and that the Federal Department of Justice is looking at ways to incorporate new language into outsourcing contracts to make it clear that companies must respect Canadian privacy legislation.
Meanwhile, the contract with Maximus now having been signed in British Columbia, the legal challenge is going forward, with a hearing expected in the early spring of 2005.
At the close of 2004, the BCGEU commissioned a public opinion poll of 511 people on privacy issues. The survey showed that 85% of those polled think that it is a bad idea to contract out management of sensitive personal records to U.S.-based companies, including 57% who think it is a very bad idea. Only 14% of those polled felt that the threat of the Patriot Act to their privacy was minimal.
Experience to date has shown that the public is concerned with this issue and the weight of legal opinion bears out that the concern is justified. Experience has also shown that governments are apt to grandstand on the importance of privacy generally at the same time that they do far, far less than is required to actually safeguard that right in the face of this specific risk. In terms of what is necessary to do that safeguarding, the most comprehensive study available is the BC Privacy Commissioner’s report. The recommendations of that report should be fully implemented.
 Privacy and the USA Patriot Act: Implications for British Columbia Public Sector Outsourcing. Available online at: http://www.oipcbc.org/sector_public/usa_patriot_act/pdfs/report/privacy-final.pdf
 In particular ss.201 and 202
 Correspondence from Jameel Jaffer to Cathie Parker (6 August 2004), available online: http://www.bcgeu.ca/bbpdf/040806_privacy_submission_2.pdf at p.45.
 Submission of the British Columbia Civil Liberties Association to the Information and Privacy Commissioner for British Columbia (6 Aug 2004) p. 5, online: http://www.bccla.org/othercontent/04patriot%20Act.htm
 Available online: http://www.gov.bc.ca/mser/down/submission.pdf
 Correspondence from David Loukidelis, Information and Privacy Commissioner for British Columbia, to Joyce Murray, Minister of Management Services, (29 October 2004), http://www.oipcbc/org/news/21120murray102904.pdf
 Peter O’Neil, “U.S. law threatens Canada’s secrets”, (18 December 2004) The Vancouver Sun A1, A10.
 Submission of the British Columbia Civil Liberties Association, supra note 5, p. 4.
 Privacy and the USA Patriot Act: Implications for British Columbia Public Sector Outsourcing, supra, note 1, p.52.
 Lynette Clemetson, “Homeland Security Data on Arab-Americans (30 July 2004), online: The New York Times, http://www.nytimes.com/2004/07/30/politics/30census.html.
 U.S. Department of Justice, “Report from the Field: The USA Patriot Act at Work” (July 2004), online: http://www.lifeandliberty.gov/docs/071304_report_from_the_field.pdf at p. 2, 3, 5.
 ACLU, supra note 13
 O’Neil, supra note 8, A10