Fasken Martineau DuMoulin LLP
Barristers and Solicitors
Patent and Trade-mark Agents
Toronto
Submission on the USA Patriot Act
To
The Information and Privacy Commissioner
for British Columbia
Jeffrey A. Kaufman, LL.B
Chair, Ontario Bar Association Privacy Section
Executive Member, Canadian Bar Association Privacy Section
Co-Director, Fasken Martineau National Privacy Group
Richard D. Butler, Student-at-Law
The statements and opinions made herein are the views of the authors and not necessarily those
of any law firm, organization, association, institution, or business affiliated with these authors.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
The authors wish to express their appreciation to the British Columbia Information and
Privacy Commissioner for the opportunity to submit their views on the important and timely
issue of extraterritorial application of privacy legislation.
Canadian businesses, across the country, have a strong interest in the practical
consequences of this conflict of laws examination both because of the interdependence of the
economies of Canada and the United States, which enjoy the largest bilateral trading relationship
in the world, and because of the significant effects the proposed extraterritorial application of
Canadian privacy law is likely to have on administration of the outsourcing industry and
Canada/US commercial relationships. In the course of practice, the primary author has been
consulted by several multi-national firms who have significant business concerns for how the
principles of privacy, comity and reciprocity interrelate and are applied on an international scale.
These businesses have a vested interest in the efficacy of privacy laws as well as the implications
of such laws on the outsourcing industry and cross-border transactions generally. In response,
the authors believe it is important to canvass the legal issues surrounding this conflict of laws
question to ensure that Canadian jurisprudence regarding privacy and information sharing is
advanced appropriately.
The authors would like to thank Anita Fineberg, LLB. for her valuable insight and
contribution to this submission.
Background
The impetus for this submission comes from the announcement of B.C.’s Privacy
Commissioner, David Loukidelis, that he will examine the implications of the USA PATRIOT
Act1 on the outsourcing of data management and processing services for B.C.’s public Medical
Services Plan (MSP) and PharmCare to a United States company. The examination and resultant
call for submissions are in response to the Petition to Court entered by the B.C. Government and
Service Employees’ Union (BCGSEU) against the Minister of Health and the Medical Services
Commission (MSC). The BCGSEU seeks to quash a proposed contract for data/information
outsourcing2 between the MSC and an US firm on two grounds, the second of which is relevant
to this review:
That the contracting out proposed in the Joint Solution Request for
Proposal would require disclosure of personal information in
circumstances that would constitute a violation of the Freedom of
Information and Protection of Privacy Act3, and is thus ultra vires
1
2
3
Pub. L. No. 107-56, 115 Stat. 272 (2001) [herein Patriot Act]. USA PATRIOT stands for "Uniting and
Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism". Enacted
on October 26, 2001.
British Columbia Government & Services Employees’ Union (petitioner) v. The Minister of Health Services &
Medical Services Commission (respondents), British Columbia Supreme Court, Victoria Registry No. 04-0879.
R.S.B.C. 1995, Ch. 165 [herein FOIPP].
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 2
the authority of the Minister of Health Services and the Medical
Services Commission4.
In his Request for Submissions5 assessing the Patriot Act implications for privacy
compliance under B.C.’s FOIPP Act the Information and Privacy Commissioner poses the
following two questions:
1.
Does the USA Patriot Act permit USA authorities to access personal information of
British Columbians that is, through the outsourcing of public services, in the custody or
under the control of USA-linked private sector service providers? If it does, under what
conditions can this occur?
2.
If it does, what are the implications for public body compliance with the personal privacy
protections in the FOIPP Act? What measures can be suggested to eliminate or
appropriately mitigate privacy risks affecting compliance with the FOIPP Act?
The authors do not propose to answer question #1; that is a matter of American law for
US counsel. These submissions assume that the answer is in the affirmative.
We believe that question #2 raises a matter of national interest that extends beyond both
the province of British Columbia and the outsourcing of public sector services. That is,
regardless of the narrow framing of the questions above, we believe that it is equally important to
consider this issue in the context of private sector organizations across Canada that may be
‘USA-linked” in circumstances in which they hold personal information of Canadians, either in
Canada or in the United States, both in their capacity as the recipient of previously collected
personal information, or in the capacity as a holder of personal information at first instance. The
implications for US corporations with a Canadian office, or alternatively, Canadian corporations
with US offices or affiliates must also be taken into account as these bodies will be impacted by
a consideration of international information transfer. The issues raised in British Columbia
threaten to negatively impact on the business operations of any and all companies with operating
units in multiple countries.
Executive Summary
The authors respectfully submit that the issues raised by the above noted question #2
posed by the Privacy Commissioner, as it applies to both the public and private sectors across
Canada, should not be construed as a matter of policy but as a matter of law. The authors are,
therefore, concerned that if the relevant privacy statutes at issue are inappropriately interpreted it
may be detrimental to Canada/US commercial and security relationships and would not respect
the recognized principles of comity and reciprocity. It is our belief that current Canadian
4
5
Supra note 2 at pg. 1.
Available at http://www.oipc.bc.ca/new/21120publicinvite.pdf (accessed July 12, 2004).
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 3
jurisprudence weighs against the broad extraterritorial application of the B.C. FOIPP Act
regarding the circumstances of the BCGSEU petition.
Further, a consideration of the circumstances in which a public sector entity or one that
has received personal information as such entity’s agent, may disclose personal information
without consent leads one to conclude that in the vast majority of Canadian provinces disclosures
of personal information pursuant to the Patriot Act would likely not offend any public or private
sector privacy legislation. An examination of the security and disclosure provisions applying to
organizations that hold personal information, as well as a consideration of the restrictions, if any,
of the transfer of personal information from Canada to the United States, reveals that the transfer
of such information, in the appropriate circumstances, does not offend the security provisions of
public or private sector privacy law in Canada. Nor are such provisions breached if a USAlinked company holds such information in Canada.
Finally, we propose that interjurisdictional models, such as those used between the
Competition Bureau and the US International Trade Commission, as well as the respective US
and Canadian securities regulators, provide greater certainty regarding the cross-border sharing
of information. This goal of such co-operation, highlighted by the second question posed by the
B.C. Privacy Commissioner, would be to eliminate or appropriately mitigate privacy risks that
may negatively impact compliance with Canadian provincial and federal privacy laws. The
authors respectfully recommend that the B.C. Privacy Commissioner, and other relevant
Canadian information/privacy officers, seek to develop such a relationship with the relevant US
authorities to ensure the safe, effective, and appropriate dissemination of information between
governments. Mutual, multinational cooperation, founded on comity and reciprocity are, and will
continue to be essential to effective security and privacy while maintaining and promoting
international commerce.
Issues
The case before the Province of British Columbia involves a petition by the BSGSEU to
quash an international contract for service by suggesting that adherence to current U.S. antiterrorism law would necessarily create a situation of conflict with Canadian privacy law. That is,
certain provisions of the US Patriot Act necessarily result in a breach of the security provisions
of B.C.’s FOIPP Act. The decision sought by the BCGSEU on the US Patriot Act and B.C.’s
FOIPP demands that there can be no statutory construction by which the two acts can co-exist.
By suggesting that the court quash the contract on such grounds, it is implicit in the argument of
the BCGSEU that despite the international nature of the commercial relationship the provincial
laws of B.C. should be held out as being of primary importance above U.S. Federal legislation.
Therefore, according to this rationale, the BCGSEU submits that Canadian privacy principles
should be extended extraterritorially.
The concern of the authors is that the current B.C. court petition outlines a statement of
policy that inappropriately extends the extraterritoriality of the reach of B.C.’s privacy laws in
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 4
the absence of legal authority to do so. Such an interpretation of the B.C. FOIPP Act by a
Canadian court would be tantamount to unilaterally amending the legal framework otherwise
applicable to the daily activities of international business including, but not limited to,
outsourcing. We respectfully submit that the extraterritorial extension of provincial privacy law,
as suggested by the petition, would be:
(i) an inappropriate interpretation of international jurisdiction, which does not defer to the
principles of comity and reciprocity regarding the current conflict of laws question; and
(ii) an inappropriate interpretation of the British Columbian privacy laws lacking
adequate consideration for concordant Provincial and Federal information security and
disclosure (without consent) sections.
I.
PRINCIPLES OF COMITY MUST BE RECOGNIZED
The authors submit that the relevant sections of the B.C. FOIPP Act should be construed
consistently with principles of international law and comity embodied in Canadian
jurisprudence.
The petition of the BCGSEU seeks to quash a commercial contract based on a conflict
between Canadian provincial privacy law and US federal security law. The authors respectfully
submit that the appropriate interpretation of this type of conflict of laws situation, recognized in
Canadian jurisprudence, is founded on notions of positive comity between jurisdictions and the
encouragement of reciprocity between regulatory authorities. Therefore, any interpretation of
the B.C. FOIPP Act, in a modern conflict of laws situation, should also defer to the expanding
doctrine of comity between nations and limit the extraterritoriality of our legislation.
Is it appropriate for Canada to extend the jurisdiction of its privacy laws extraterritorially?
The US Supreme Court has dealt extensively with notions of comity, having recognized
over two hundred years ago that an act of Congress ought never to be construed to violate the
law of another nation if any other possible construction remains6. Under international law, the
inherent limitations on the extent to which any nation can, or should, extend its own jurisdiction
unto the jurisdiction of another are recognized to flow from the presumed equality and
sovereignty of nations7. Canada has supported this interpretation, finding that legislation is
presumed to operate only within the territorial limits of the jurisdiction within which the enacting
Legislature functions. As stated by Duff J. in Ontario (Attorney General) v. Reciprocal Insurers:
6
7
Murray v. Schooner Charming Betsy, 6 U.S. (2 Cranch) 64, 118 (1084).
I. Brownlie, Principles of Public International Law 6th Ed. (2003).
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 5
“.. the terms of the statute as a whole are, in their Lordships'
judgment, capable of receiving a meaning according to which its
provisions, whether enabling or prohibitive, apply only to persons
and acts within the territorial jurisdiction of the province. In
their opinion it ought to be interpreted in consonance with the
presumption which imputes to the Legislature an intention of
limiting the direct operation of its enactments to such persons and
acts”8. [emphasis added]
In Morguard Investments Ltd. v. De Savoye9, the Supreme Court of Canada (SCC) was
concerned with modernizing notions of order and fairness with respect to assertions of
jurisdiction in situations where litigation was connected to more than one jurisdiction. Morguard
established that courts from one province should recognize and enforce the judgment of another
province or territory, giving such judgment “full faith and credit”10 when a “real and substantial
connection”11 between the parties and subject matter of the litigation could be established. The
basis for this acknowledgement of real and substantial connection with foreign jurisdictions was
based on the court resolve to recognize and facilitate “…the flow of wealth, skills and people
across states lines.”12
It is not our suggestion that the Provincial Courts of B.C. do not hold the jurisdiction to
hear petitions of the nature forwarded by the BCGSEU. According to Morguard and Tolofson v.
Jensen13, a further SCC iteration regarding international jurisdiction, the nature of the contract
and parties involved would appear to meet the ‘real and substantial connection’ test noted for the
recognition of interprovincial jurisdiction to provide judgement. However, in modernizing the
common law Morguard shifted Canadian jurisprudence from an examination of territoriality and
sovereignty of the state to an examination of the scope and importance of comity. In doing so,
the decision has provided constitutional guidance in the examination of international conflict of
laws situations14.
8
9
10
11
12
13
14
Ontario (Attorney General) v. Reciprocal Insurers, [1924] 1 D.L.R. 789 (C.A.).
[1990] 3 S.C.R. 1077 [herein Morguard].
Ibid. at para. 41.
Ibid at para. 51.
Ibid at para. 34.
[1994] 3 S.C.R. 1022. The court held that the decisions regarding jurisdiction should meet the normal
expectation in that ordinarily people expect their activities to be governed by the law of the place where they
happen to be and expect that concomitant legal benefits and responsibilities will be defined accordingly.
J.G. Castel & J. Walker, Canadian Conflict of Laws 5th Ed. (Toronto: Butterworths, 2002) Loose-leaf updated to
January 2004.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 6
In a Conflict of Laws situation, the doctrine of Comity must be a guiding principle
Comity is “…the deference and due respect by other states to that action of a state
legitimately taken within its territory…”15. This dicta has been embraced and extended in
successive Supreme Court decisions regarding international comity. In Hunt v. T&N plc16, La
Forest J. notes that in the modern area, the recognition of comity parallels an analysis of justice,
necessity, and convenience. As such, he notes that “[g]reater comity is required in our modern
era when international transactions involve a constant flow of product, wealth and people across
the globe.”17
Recently, the Supreme Court of Canada has revisited such notions of enforcement and
recognition of foreign judgments, comity, and reciprocity18. Following the rationale of
Morguard and Hunt, the SCC further expanded the relevance of comity from
enforcement/recognition situations to suggest that comity should be allowed to evolve to ensure
the security of international business relations and cross border transactions19. In its judgment,
the SCC explicitly calls for a modernization of international private law in response to the
prevalence of international cross-border transactions and the rise in importance of international
comity20. Going further, the majority of the Court suggested that, like comity, notions of
reciprocity should persuade interprovincial and international relations so as to foster more
productive cross-border workings. Reciprocity will be of greater importance further in these
submissions with respect to a review of international regulators and their working partnerships.
According to Castel and Walker, these Supreme Court decisions have taken the notion of
comity from merely a lip-service doctrine, to that of the “controlling principle for the proper
functioning of the international order and accommodation of the modern mobility of persons and
wealth.”21 In this capacity, the application of the principle of comity infers that states will
respect, and are hesitant to interfere with, the actions of another state within the limits of its own
territory. This sentiment is shared by J. Currie who suggests that with respect to prescriptive
jurisdiction22, a state is prima facie free to legislate or regulate with respect to persons or events
beyond the extent of its territorial borders. This power is valid and should be recognized so long
as the extraterritorial extension or prescriptive jurisdiction does not conflict with the same
prescriptive rights of the state, which may have a closer connection to the person or events.
15
16
17
18
19
20
21
22
Supra note 9 at para. 29.
[1993] 4 S.C.R. 289.
Ibid. at para. 53.
Beals v. Saldanha [2003] 3 S.C.R. 416. [herein Beals]
Ibid. at para. 27.
Ibid. at para. 28.
Supra note 14 at pg. 1-14.
J. Currie, Public International Law (Toronto: Irwin Law 2001). “Prescriptive Jurisdiction” represents the power
of the state to make rules governing people, property, and transactions; whereas “Enforcement Jurisdiction” is
the power to take action consequent to those rules, such as executive or administrative action.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 7
The Impeachment Defences of Beals provide a balance between comity and fairness
More recently, in Beals v. Saldanha, the Supreme Court also examined the limited
circumstances by which defences to the enforcement of a foreign judgment may be invoked.
These defences are instructive in this review as they indicate the factors required to set aside
recognition of jurisdiction, thereby suggesting situations which allow courts to examine a
balance between the principles of comity, order and fairness, and the ‘real and substantial’
connection23. The defences of fraud, natural justice, and public policy are to be read narrowly,
providing limited defence when contrasted with the SCC’s expansion of the ‘real and substantial’
test.
The balance between the need to treat foreign judgments as final versus the fraudulent
recovery of judgments creates a limited ‘evidentiary window’ for a challenge to jurisdiction
based on issues of procedural discoverability and due diligence. It is difficult to see how this
defence could be useful in the present B.C. petition.
Domestic courts are charged with ensuring that that the minimum Canadian standards of
fairness and due process were available for previous judgments. Natural justice dictates that a
minimum standard of fairness must be applied to previous judgments, but has been viewed
restrictively by the court to relate to the form of foreign procedure and due process rather than
the merits of the case24. The SCC in Beals found that no burden rests with the moving party in
an action, and those defending an action are presumed to know the relevant laws of the
jurisdiction in which they are seized. The authors respectfully submit that Courts should be
hesitant to view the argument against a contract for services, contained in the petition by the
BCGSEU, as similar to a natural justice defence. Doing so would represent a Canadian policy
judgment on the nature and quality of US due process under Federal law and could “…unduly
complicate cross-border transactions and hamper trade…”25, as cautioned by the SCC.
Finally, the public policy defence seeks to assist those who have been burdened by a
judgment that is contrary to Canadian concepts of justice, and contrary to the fundamental
morality of the Canadian legal system. This defence has been clearly instructed to have narrow
application to only those situations that would offend Canadian morality or “shock the
conscience” of the reasonable Canadian26. Similar to the natural justice defence, to invoke this
doctrine with respect to the BCGSEU argument would be to make a clearly critical policy
statement toward US Federal law, essentially labelling the Patriot Act ‘repugnant law’27. The
23
24
25
26
27
Supra note 18 at para. 40.
Ibid. at para. 60.
Ibid. at para. 68.
Ibid. at para. 73.
Ibid at para. 71; “…the tradition public policy defence appears to be directed at the concept of repugnant laws,
and not repugnant facts…” The Majority quotes from, and sanctions, the writing of J.G. Castel & J. Walker,
Canadian Conflict of Laws 5th Ed. (Toronto: Butterworths, 2002) Loose-leaf updated to January 2004 at pg. 1428.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 8
authors submit that the BCGSEU Petition is neither the appropriate venue for such a statement
nor in holding with the principle of comity that by which conflict of laws scenarios are now
examined.
The doctrine of comity, properly treated under a conflict of laws analysis and consistent
with current Canadian jurisprudence, would suggest the application of judicial restraint in those
situations where the extraterritorial impact of the judgement is unwarranted or inappropriate.
The following section will further develop the submission that the statutory interpretation sought
by the BCGSEU is not appropriate and, according to the doctrines of comity and reciprocity,
should be denied.
Summary:
•
Canadian jurisprudence has supported an interpretation of international law placing
inherent limitations on the extent to which any nation can, or should, extend its own
prescriptive jurisdiction unto the jurisdiction of another, based on the presumptions of
equality and sovereignty of nations.
•
In its most recent examination of conflict of laws, the SCC has expanded the relevance of
comity and supported its evolution as a guiding principle for transnational relationships to
ensure the security of international business relations and cross border transactions.
•
The impeachment defences of Beals do not provide a justification for the disregard of
comity in the instance of the BCGSEU petition.
II.
NOT AN UNAUTHORIZED USE OR DISCLOSURE
Interpreting the relevant ‘Security’ and ‘Disclosure’ provisions of B.C.’s FOIPP Act,
according to principles of comity and by appropriate objective standards, indicates that
information transfer under a Patriot Act order would not be considered unauthorized and,
therefore, not in breach of Canadian privacy law.
Attached to these submissions as Schedule A is a table setting out, by province, the
relevant provisions in Canadian public sector privacy legislation. These provisions relate to two
issues:
(a) Security Provisions: regulate protection of personal information (legislated equivalents of
s.30 of the British Columbia FOIPP); and
(b) Disclosure Provisions: regulate disclosure of personal information without consent (Canadian
equivalents to a section 215 order under the Patriot Act).
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 9
The table is instructive as it illustrates the striking similarity of the provincial ‘security’
provisions in the public sector legislation across the country. Consideration should be given to
this similarity since a narrow interpretation of B.C.’s laws may likely impact negatively on the
future interpretations of other provincial privacy laws, and resultantly, on Canada-wide
commercial dealings. For instance, should disclosure under the proposed outsourcing contract be
held to constitute a violation of B.C.’s FOIPP Act, as is alleged by the BCGSEU, and is thus
ultra vires the authority of the Minister of Health Services, then due to the similarity of
legislation across Canada it could be argued by others that any contracting to US-linked
companies, operating in Canada or in the United States, is similarly outside the authority of
government departments in those provinces.
The table also illustrates the similarity of the provincial ‘disclosure without consent’
provisions. While the petition before the B.C. courts has been framed in relation to the ‘security’
provisions of the FOIPP Act under s. 30, it is our submission that this perspective does not
address the reality of the legal situation. That is, if the operable legislation authorizes disclosure
of personal information in response to an order under the Patriot Act, how can it be said that an
entity is not complying with the appropriate security requirements? The argument that privacy
law security requirements may be violated could only then be valid if one ‘reads in’ a provision
that security compliance (according to B.C.’s FOIPP) necessitates non-disclosure pursuant to an
order with the characteristics of a Patriot Act order, in contrast to permissible disclosure for other
types of orders, subpoenas or warrants that may be issued by Canadian authorities against a
public sector entity.
SECURITY PROVISIONS:
An examination of Canadian privacy law ‘Security’ provisions, by the appropriate objective
standard, demonstrates that information flow to the US is not prima facie an unauthorized
risk28.
The decision sought by the BCGSEU on the Patriot Act and its interaction with B.C.’s
FOIPP Act29 demands that there can be no statutory construction by which the two acts can coexist. We do not share this view. Before a decision on whether information transfer under a
Patriot Act order can be considered a breach of the B.C.’s privacy law, it is necessary to
determine whether such a transfer of information, according to the legislated standard for
security considerations, could be considered ‘unauthorized’.
28
29
The following examines the ‘security’ provisions contained in public sector privacy legislation to assess whether
these provisions may be violated when USA-linked companies obtain access to personal information in the
custody or under the control of a public body/government institution subject to the relevant Canadian legislation.
It provides an interpretation of the provisions by Canadian Privacy Commissioners, as well as any ‘policy
guidance’ that has been provided by those government institutions charged with the operation of the legislation.
Supra note 3.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 10
The appropriate starting point for this analysis is section 30 of the British Columbia
FOIPP Act, both because this is the central issue currently under consideration by that province’s
Privacy Commissioner and because, as noted in Schedule A, the language is replicated in several
provinces across the country30.
The provision reads:
s. 30 The head of a public body must protect personal information
by making reasonable security arrangements against such risks as
unauthorized access, collection, use, disclosure or disposal.
[emphasis added]
While the Commissioner has not yet issued any relevant orders on point, nor additional
clarifying material, some interpretation can be garnered from the British Columbia Ministry of
Management Services web site for the government’s Procedures Manual. This online manual
has a page dedicated to an explanation of the FOIPP Act, which provides limited instructive
information on the government’s policy on the responsibilities regarding section 30. The online
‘Summary’ for s. 30 reads as follows:31
“Section 30 imposes a duty upon the head of the public body to
prevent unauthorized access to personal information in its
custody or control both from within and outside the public body.
This section also requires the head of a public body to ensure that
access by members within the public body is governed by the
principle of need to know. ... [emphasis added]” 32
The Procedures Manual web site also provides an interpretation section that outlines a
standard for ‘reasonable security arrangements’ for those Ministries not explicitly covered by
internal B.C. government security programs. The standard used to examine whether security
arrangements are ‘reasonable’ are those a “fair, rational person would think were appropriate
30
31
32
The language of the concordant provisions of the legislation in Alberta (s.38(1)); Manitoba (s.41);
Newfoundland (s.36(1)); Nova Scotia (s.24(3)); Northwest Territories (s.42); Nunavut (s.42); Prince Edward
Island (s.35(1)); and the Yukon (s.33) are virtually identical. No requirements have been set out in Manitoba.
Remaining provinces have legislation regarding security in different forms: Ontario (s. 4(1)); Quebec (s. 115(5))
no regulations; Saskatchewan (no provisions); New Brunswick (two schedules and related provisions).
Available online at: http://www.mser.gov.bc.ca/foi_pop/manual/sections/sec30_39/sec30.htm (accessed July 12,
2004)
Ibid. As further assistance, several of these terms used in the s. 30 text are later defined:
Unauthorized use: “Use” of personal information is unauthorized if it is not in accordance with section 32 (use of
personal information) of the Act.
Unauthorized disclosure: An unauthorized disclosure is revealing, exposing, showing, providing copies of,
selling, giving or telling personal information in a way that is not in accordance with section 33 (disclosure of
personal information) of the Act.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 11
according to the sensitivity of the information and to the medium in which it is stored,
transmitted, handled, or transferred.” 33
In light of this online interpretative information, one must ask: what is the meaning of
“unauthorized” according to s.30, and how does this fit with B.C.’s Ministry of Management
Services default ‘fair and rational person’ test for the handling of information? If the movement
of information under a Patriot Act order is not ‘unauthorized’ as defined by the statute, then
there can been no privacy law breach with which to attack the outsourcing contract. In order to
ensure information use or transfer is ‘authorized’, one could establish that the accessing of
information by the US Government under Patriot Act, perhaps for reasons of national security,
would be deemed appropriate by a fair and reasonable person, using a sliding scale dependant on
the nature of the information.
In the case of an outsourcing arrangement in which the public body retains control of the
private information and directs the contractor, the provision of the information would clearly be
‘authorized’ under B.C.’s FOIPP s.32(a) [as a use] or s.33(c) [as a disclosure]. Based on the
above information available from the B.C. government services, if we can assume that the USlinked company is required, by contract, to implement the basic security requirements noted by
the Ministry of Management Services, then the outsourcing will not offend the provisions of
s.30. Reasonable security requirements, that meet the fair and reasonable person test, can be
implemented contractually and the movement of the personal information from the Ministry to
the company will fall under the definition of an ‘authorized’ transmission.
To further this analysis, the term ‘unauthorized’ and the objective ‘reasonable person’
standard is examined according to several other privacy statutes as they relate to security
provisions. Important to note is that these standards, as written in Canadian legislation, do not
relate to the perceived implications of foreign laws, but focus on enumerating possible risks
according to Canadian law.
Alberta
The Alberta Information and Privacy Commissioner has interpreted ‘unauthorized
access’ in s.38(1) of the Alberta Freedom of Information and Protection of Privacy Act as
follows34:
Unauthorized access to personal information:
33
34
Ibid. “For public bodies not covered by CORE, "reasonable security arrangements" are those which a fair,
rational person would think were appropriate to the sensitivity of the information and to the medium in which it
is stored, transmitted, handled, or transferred. A sliding scale of security arrangements is appropriate, depending
on the sensitivity of the personal information that a public body handles.” CORE is a Ministry of Finance
computing and information management program. Therefore, all Ministries not covered by this program refer to
the fair and rational standard (accessed July 12, 2004).
Order 98-002, available online at: http://www.oipc.ab.ca/ims/client/upload/ACF147.pdf
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 12
a) access by the public, where there is no right to access;
b) access by a public body’s employees, if those employees do not
need to see the personal information in the course of their duties;
c) situations in which information is stored in an unsecured manner
such that someone can obtain unauthorized access.
The specific statutory reference to access by the public suggests that access by regulatory
or executive branches of the government may be considered an authorized access, or may fall
prima facie within the reasonable standard.
Ontario
In Ontario, under Section 4(1) of Ont. Reg. 46035, the security measures required to
prevent ‘unauthorized access’ are noted as:
“Every head shall ensure that reasonable measures to prevent
unauthorized access to the records in his or her institution are
defined, document and put in place, taking account the nature of
the information to be protected.”
Reasonable measures represents the same objective standard as noted in the B.C.
interpretation sections, with consideration given to the nature of the information and security
procedure advanced accordingly.
Federal Personal Information Protection and Electronic Documents Act (PIPEDA)36
PIPEDA sets out the rules and principles for the management of personal information in
the private sector by organizations that engage in commercial activities. The purpose of
PIPEDA is to develop information management rules that will balance two concerns37:
a) the right of privacy of individuals with respect to their personal information; and
b) the needs of organizations to collect, use or disclose personal information for purposes
that a “reasonable person” would consider appropriate in the circumstances38.
Once again the “reasonable person”, mirrored by B.C.’s ‘fair and reasonable person’, is
referenced as the standard by which the level of information security is measured. This
reasonable person standard applies equally to Schedule 1; Principle 7 (4.7) – Safeguards. This
35
36
37
38
Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c.F-31.
S.C. 2000, c. 5.
S. Perrin, H. Black, D. Flaherty, & T. M. Rankin “The Personal Information Protection and Electronic
Documents Act – as Annotated Guide” (Toronto: Irwin Law, 2001) at 56.
Supra note 36, Section 3: Purpose.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 13
sections deal specifically with the security safeguards for personal information and are noted to
be “…appropriate to the sensitivity of the information.”39
The Commissioner of Privacy for B.C. has requested submissions on ways to eliminate or
appropriately mitigate privacy risks40. The concern of the BCGSEU, therefore, must not simply
with the definition of ‘unauthorized’ since contract provisions for the transfer of data can ensure
such transfers fall within the statutory standard of ‘reasonable’. The concern of the BCGSEU
appears to be, from the language of the affidavits within the B.C. Supreme Court Petition, that
the information may be transferred according to an order of the Patriot Act specifically.
Examining statutes from other jurisdictions, together with the sliding scale of a ‘fair and
reasonable person’, would the fact that personal information potentially be subject to disclosure
pursuant to a Patriot Act order make such a transfer ‘unauthorized’? It is difficult to imagine
how this analysis could be accepted. Security provisions noted in Federal and Canadian privacy
statutes does not pose specific restrictions on the destination of personal information, but rather
according an objective determination of the nature of the information.41 The concern of the
authors is that a determination that the transfer of information to an USA-linked company will
prima facie create a statutory breach is narrowly interpreting Canadian privacy law according to
an analysis of the potential impact of foreign law, rather than on an objective review of relevant
Canadian statutory provisions.
According to the “fair and reasonable person” test adopted by multiple jurisdictions for
their privacy standard, consideration should be given to the nature of the information, the nature
of the request, safeguards for transfer to a third party, but does not hinge on the jurisdiction of
parties obtaining the information. The authors respectfully submit that for the Privacy
Commissioner, or the B.C. Supreme Court, to determine unilaterally that any and all situations
where information could be requested or acquired by a US Federal authority must be considered
prima facie unauthorized represents a policy decision detrimental to international comity.
III.
‘SECURITY’ PROVISIONS MUST BE INTERPRETED CONSISTENTLY
An examination of Canadian privacy law ‘Security’ provisions cannot be based on a
rejection of the laws of another country, but must be considered as a sui genris category of
Canadian law and based on a reasonable measurement of relevant physical privacy
safeguards.
The B.C. Privacy Commissioner, in his call for proposals, seeks ways to eliminate or
mitigate the risks associated with unauthorized information transfer. While the authors submit
39
40
41
Ibid. Schedule 1; s. 4.7
Supra note 5.
For further analysis, see p. 15 supra, commenting on s. 4.3.1 of Schedule 1 of the PIPEDA.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 14
that information transfers under the Patriot Act do not prima facie represent unauthorized
transfers (as noted above) it also our position that physical and administrative safeguards, such as
those likely to be incorporated into cross-border outsourcing contracts, suffice to constitute such
information transfers as ‘authorized’. Therefore, a review of the B.C.’s FOIPP Act, and
interpretation of other jurisdiction’s sui genris security provisions, will demonstrate that an
outsourcing contract, similar to the proposal by the B.C. MSC, would not be in violation of
provincial privacy laws.
Section 30 of the B.C. FOIPP Act stressed the need for the head of public institutions to
“…protect personal information…by making reasonable security arrangements against such risks
as unauthorized access, collection, use, disclosure or disposal.”42 The Ministry of Management
Services online Manual, as noted previously, also highlights several examples of physical and
procedural security arrangements, for personal information that are deemed to be “reasonable”.
Examples of physical security arrangements:
•
Storing records containing personal information in locked storage rooms
or locked filing cabinets, with controls over distribution of keys or lock
combinations.
•
Use of numbers or other methods to label file drawers, records storage
boxes and other storage containers so as not to reveal the fact that they
contain personal information.
Examples of procedural security arrangements:
•
Access controls on computer systems (i.e., passwords that allow different
levels of access to various screens and differing capabilities to read,
extract or change data).
•
Where contracted services are used for storage, transportation or
destruction of records, including security provisions in the service
contract, public bodies should require the contractors to provide a
certificate of destruction.
Stringent security measures (e.g., locked filing cabinets,
computer access codes and a physically secure room to which
access is controlled by a guard, receptionist, locked door or
electronic access control device) are appropriate for particularly
sensitive information such as medical records, personnel files or
inmate files. [emphasis added]
42
Supra note 3, s. 30.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 15
The focus of this Ministerial interpretation, and by inference, the focus of s. 30 is on the
physical and administrative safeguards noted in the passage. Also noted is a reference to greater
security for information of greater sensitivity; a policy that is consistent with the “reasonable”
standard based on the nature of the information used commonly throughout the provincial
privacy laws. Interestingly, medical records are noted explicitly in this s. 30 interpretation and
while physical security aspects such as computer access codes and access control devices are
listed, restrictions based on jurisdiction or applicable Federal statutes of the destination country
for information transfer are not.
Federal Personal Information Protection and Electronic Documents Act (PIPEDA)
The reasonable person standard noted previously for ‘authorized’ transfer and
management of information applies equally to other portions of the Act, including Schedule 1;
Principle 7 (4.7) – Safeguards. This section deals specifically with the security safeguards for
personal information, which are noted to be “…appropriate to the sensitivity of the
information.”43 According to s. 4.7.2:
“The methods of protection should include:
(a) physical measures, for example, locked filing cabinets and
restricted access to offices;
(b) organizational measures, for example, security clearances and
limiting access on a "need-to-know" basis; and
(c) technological measures, for example, the use of passwords and
encryption.
The focus of the wording, and thereby its meaning and intent, is on the physical and
administrative mechanisms used by data managers to ensure the security of the data processing
and transfer. Absent from this principle is the notion that protection should include geographic
restrictions, nor are any limitations based on the nature of the recipient. There does not appear to
be any interpretation of this statute by which the laws of one jurisdiction should preferred to
those of another.
Sub-Clause 4.1.3 of PIPEDA deals with Transferring Information to Third Parties for
Processing44. This subclause is significant because compliance with its requirements may be
reviewed by the Federal Court, as noted under Section 14(1) of PIPEDA. According to this
provision organizations shall use contractual, or other means, to provide a comparable level of
43
44
Ibid. Schedule 1; s. 4.7
4.1.3: An organization is responsible for personal information in its possession or custody, including information
that has been transferred to a third party for processing. The organization shall use contractual or other means to
provide a comparable level of protection while the information is being processed by a third party. See Platt,
Privacy law in the Private Sector: An Annotation of the Legislation in Canada, (Canada Law Book, 2002)
Loose-leaf updated to June 2004 at p. N-6.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 16
protection while the information is being processed by a third party. Sub-Clause 4.1.3 is also
important to this examination because it is the only area in the Act where trans-border data flow
issues are addressed and, according to the above mentioned security standard for PIPEDA, are
done so with respect to the objective ‘reasonable person’.
Ontario
In Ontario, the power exists under s.60(1)(a) 45 for the Lieutenant Governor in Council to
make regulations. The nature of security safeguards is explicitly laid out, with the Ontario
provisions “…requiring administrative, technical and physical safeguards to ensure the
security and confidentiality of records and personal information under the control of
institutions.”46
New Brunswick
New Brunswick’s Protection of Personal Information Act47 contains both a Statutory
Code of Practice (Schedule A) and Interpretation and Application of the Statutory Code of
Practice (Schedule B). Principle 7, dealing with ‘Safeguards’ merely states that “Personal
information shall be protected by safeguards appropriate to the sensitivity of the
information”. [emphasis added].
Schedule B expands upon this requirement to require that:
“The safeguards to be adopted include training and administrative,
technical, physical and other measures, as appropriate in the
circumstances, and include safeguards that are to be adopted when
a public body discloses personal information to a third party or
makes arrangements for a third party to collect personal
information on its behalf.”[emphasis added]
Note that this section makes reference to the need for public bodies, when transferring
information to third parties, to ensure the appropriate physical safeguards be in place. Arguably,
the presence of this statement within Schedule B suggests that the New Brunswick legislators
considered the transfer of information to third parties and drafted the provision accordingly.
There is no mention of the laws of the jurisdiction to which such information transfer would
occur, again, arguably part of the deliberate wording of the section.
45
46
47
Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c.F-31.
Ibid.
Protection of Personal Information Act, S.N.B. 1998, c.P-19.1
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 17
European Union Directive48
The relevant security standards of the EU directive (Article 17 – Security of Processing)
are similar to the provisions of Canadian Privacy law with respect to an objective standard for
control of information:
1. Member States shall provide that the controller must implement
appropriate technical and organizational measures to protect
personal data against accidental or unlawful destruction or
accidental loss, alteration, unauthorized disclosure or access, in
particular where the processing involves the transmission of data
over a network, and against all other unlawful forms of processing.
Having regard to the state of the art and the cost of their
implementation, such measures shall ensure a level of security
appropriate to the risks represented by the processing and the
nature of the data to be protected. 49
As part of a larger security framework, the EU Directive makes specific reference to the
transfer of data to third parties and the standards that must be applied to such third party
transfers. Additionally, the provisions establish what has become known as the “Adequacy
Principle”, regarding the adequacy of the privacy laws in the destination country regarding
security measures50. Unlike Europe, neither B.C.’s public sector legislation, nor that of any of
the other provinces or federal government, imposes restrictions on the geographic or legislative
destination to which the personal information may be disclosed. B.C.’s legislation does not
require that there be a certain level of concordance between the laws of Canada and the laws in
place in the receiving jurisdiction prior to the transfer of data. The organization that ‘transfers’
48
49
50
DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL EU: The Data
Protection Directive; of 24 October 1995. “…on the protection of individuals, with regard to the processing of
personal data, and on the free movement of such data.” Available at http://europa.eu.int/ (accessed July 14,
2004).
Ibid. Chapter II: GENERAL RULES ON THE LAWFULNESS OF THE PROCESSING OF PERSONAL
DATA - Section VIII - Confidentiality and Security of Processing: Article 17 Security of Processing.
Chapter IV: TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES: Article 25 Principles.
(1) The Member States shall provide that the transfer to a third country of personal data which are undergoing
processing or are intended for processing after transfer may take place only if, without prejudice to compliance
with the national provisions adopted pursuant to the other provisions of this Directive, the third country ensures
an adequate level of protection.
(2) The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the
circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration
shall be given to the nature of the data, the purpose and duration of the proposed processing operation or
operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in
force in the third country in question and the professional rules and security measures which are complied with
in that country.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 18
the data remains responsible to the extent that contractual provisions are implemented between
the two organizations. But there is no requirement that such transfers only be directed to
particular jurisdictions.
Despite the strict provisions governing the transfer of information to jurisdictions without
adequate privacy laws, information transfer between Europe and the United States continues
without the difficulty and risk suggested by the BCGSEU, between B.C. and the US, in its
petition. The U.S. approach to privacy regulation has been described as a “sectoral approach”
relying on a mix of legislation, regulation, and self-regulation while the EU relies on
comprehensive legislation51. According to the US Department of Commerce:
“…in order bridge these different privacy approaches and provide
a streamlined means for U.S. organizations to comply with the
[EU] Directive, the U.S. Department of Commerce in consultation
with the European Commission developed a "safe harbor"
framework. The safe harbor … is an important way for U.S.
companies to avoid experiencing interruptions in their business
dealings with the EU or facing prosecution by European authorities
under European privacy laws. Certifying to the safe harbor will
assure that EU organizations know that your company provides
“adequate” privacy protection, as defined by the Directive.”52
[emphasis added]
Under this safe-harbour principle, the EU allows the US, a non-compliant country, to
conduct business through a modification of the physical and administrative safeguards, such as
contracting. It should be noted, therefore, that even the EU, whose legislation does contain
provisions regarding the laws and standards of foreign jurisdiction does not enforce these
provisions to their full extent.53 Should the B.C. FOIPP Act be interpreted such that it considers
51
52
53
http://www.export.gov/safeharbor/ (accessed July 16, 2004).
Ibid. - Introduction to Safe Harbour.
In this context, it should be noted that, on May 14, 2004, the European Commission issued an 'adequacy finding'
allowing the transfer of Passenger Name Record (PRN) data between Europe and the United States (available
online
at:
http://europa.eu.int(comm/internal_market/privacy/docks/adequacy/pnr/c-2004-1914/c-20041914_en.pdf). The finding was issued after some 1 1/2 years of negotiations between the Commission and the
US Department of Homeland Security (DHS). While the European Parliament is still considering whether to take
the case to the European Court of Justice to obtain an annulment, based in part on procedural grounds given that
the Commission approved the decision over Parliamentary objections, the Commission's decision is relevant to
the matter before the BC Privacy Commissioner because of the manner in which the negotiations were
undertaken
and
the
elements
contained
in
the
Commission’s
decision.
The Commission did not take the approach that merely because the transfer was ultimately to the US Bureau of
Customs and Border Protection (CPB), a US government department not subject to privacy legislation, there
could be no transfer without passenger consent, a clearly impractical solution. Rather, CPB agreed to a number
of undertakings (set out in an Annex to the Decision), in which it undertook to deal with the PRN data in a
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 19
the laws of the foreign destination to which information may be transferred, it would not only be
the only Canadian jurisdiction to do so, but would also be isolated in North America and perhaps
in its dealings with Europe.
For the Privacy Commissioner, or the B.C. Courts, to determine unilaterally that any and
all situations where information could be requested or acquired by a US Federal authority must
be considered prima facie unauthorized represents a policy decision detrimental to international
comity. This construction of B.C. law would require the reading in of a provision similar to that
of the EU’s Article 25, which is clearly not present in the B.C. legislation. Certainly the security
provisions of these above mentioned statutes address the second question posed by the
Commissioner, regarding the elimination or mitigation of privacy risks, but do so without undue
discrimination as to the jurisdiction of transfer. Rather, and more appropriately, the focus of
these statutes, similar in nature and language to the B.C. FOIPP Act, is an appropriate evaluation
of risk based on an objective standard, corrected according to the nature of the information, not
the nature of the recipient.
In applying the security provisions in the B.C. FOIPP Act, it is respectfully submitted
that the Commissioner have due regard to the doctrine of ejusdem generis54 and thereby restrict
the class of security protections to the physical and administrative measures contemplated by
privacy legislation in B.C. and elsewhere. Additionally, the security provisions should be
interpreted in a manner consistent with the international privacy obligations under the EU
Directive. The Supreme Court of Canada held, per Gonthier J., as follows:
“In interpreting legislation which has been enacted with a view towards
implementing international obligations, as is the case however, it is reasonable for
a tribunal to examine the domestic law in the context of the relevant agreement to
clarify any uncertainty. Indeed, where the text of the domestic law leads itself to
it, one should also strive to expound an interpretation which is consonant with the
relevant international obligations….The Court of Appeal’s suggestion that
recourse to an international treaty is only available where the provisions of
domestic legislation is ambiguous on its face is to be rejected.”55
manner that satisfied the Commission as to the ‘adequate protection’ to be afforded to it in the hands of the US
government agency. The point is that in circumstances in which data transfers were required for legitimate
security reasons, the Commission was prepared to and, in fact, did, carefully consider the nature of the data
elements and other data protection principles that CBP was prepared to voluntarily assume. Therefore, even
where there is legal authority to assess the law of the recipient jurisdiction, the Commission has determined that
voluntary undertakings, even where the same provisions of the Patriot Act would apply, provide ‘adequate
protection’ for personal data.
54
55
A further analysis of this doctrine can be found in Driedger “Construction of Statues” Second Edition, (Toronto,
Butterworths 1983) at 113 to 119 and Sullivan and Driedger on the Construction of Statues, Fourth Edition
(Butterworths) at page 175 to 179.
National Corn Growers Assn. V. Canada (Import Tribunal), [1990] 2 S.C.R. 1324, 1371 (Gonthier J.). In the
same vein, see Canada v. Seabord Lumber Sales Co., [1995] 3 F.C. 113, 120 (F.C.A.).
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 20
The authors respectfully submit that an interpretation of B.C.’s privacy laws based on
analysis of laws of a foreign jurisdiction, rather than the sui genris physical and administrative
safeguards noted in Canadian legislation, would be an inappropriate policy-based decision.
Summary:
•
According to the “fair and reasonable person” test adopted by multiple jurisdictions for
their privacy standard, consideration should be given to the nature of the information, the
nature of the request, safeguards for transfer to a third party, but does not hinge on the
jurisdiction of parties obtaining the information.
•
Risk can be mitigated through consideration of physical safeguards, including training
and administrative, technical, physical and other administrative measures, and are to be
evaluated based on an objective ‘reasonable person’ standard, corrected according to the
nature of the information.
•
Neither B.C.’s public sector legislation, nor that of any of the other provinces or federal
government, imposes restrictions on the geographic or legislative destination to which the
personal information may be disclosed. To do so would be an inappropriate policy-based
decision that would isolate B.C. and its commercial dealings in North America.
IV.
DISCLOSURE WITHOUT CONSENT PERMITTED
DISCLOSURE PROVISIONS:
The F.B.I. obtains access to records pursuant to a court order for production.
The process by which the Federal Bureau of Investigation obtains its authority to access
records for foreign intelligence and international terrorism activities is set out in the amendments
to the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861 et seq.) as follows:
SEC. 501. ACCESS TO CERTAIN BUSINESS RECORDS FOR FOREIGN
INTELLIGENCE AND INTERNATIONAL TERROSIM INVESTIGATIONS
(a)(1) The Director of the Federal Bureau of Investigation or a
designee of the Director (whose rank shall be no lower than
Assistant Special Agent in Charge) may make application for an
order requiring the production of any tangible things (including
books, records, papers documents, and other items) for an
investigation to protect against international terrorism or
clandestine intelligence activities provided that such investigation
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 21
is not conducted solely on the basis of activities protected by the
first amendment to the Constitution.
…
(b) Each application under this section –
(1) shall be made to –
(A)
a judge of the court established by section 103 (a); or
(B)
a United States Magistrate Judge under chapter 43 of
title 28, United States Code, who is publicly designated
by the Chief Justice of the United States to have the
power to hear applications and grant orders for the
production of tangible things under this section on
behalf of a judge of that court; and
(2)
shall specify that the records concerned are sought for an
authorized investigation conducted in accordance with
subsection (a)(2) to protect against international terrorism
or clandestine intelligence activities.
(c)(1) Upon an application made pursuant to this section, the
judge shall enter an ex parte order as requested, or as
modified approving the release of records if the judge
finds that the application meets the requirements of this
section. [emphasis added]
On their face, the above-referenced provisions establish a formalized process by which
the FBI may obtain a court order for the production of records including those containing
“personal information” as defined in the BC FOIPP Act. Assuming that a Patriot Act order has
been properly obtained by the FBI, there is no basis on which to conclude that such an order
would not fall within the provisions of s.33(e) of the B.C. legislation (or that of the other
provinces noted in footnote 56), particularly when, as noted, this provision has no jurisdictional
limitations. The question of whether an authorized US court that has made such an order has the
“jurisdiction to compel the production of the information” is relevant to question #1 posed by the
Privacy Commissioner. As noted on p.2 of these submissions, we have assumed that the answer
to that question is in the affirmative.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 22
An interpretation of the B.C. FOIPP Act ‘disclosure without consent’ provisions must take
into account the similar exceptions which currently exist in Federal and Provincial legislation,
as well as proposed amendments.
As is the case with the ‘security’ provisions described above, the privacy legislation of
several provinces contains a disclosure provision (disclosure without consent) similar to that
found in s.33(e) of the B.C. legislation56. This provision reads:
A public body may disclose personal information only…
(e)
for the purpose of complying with a subpoena, warrant or
order issued or made by a court, person or body with
jurisdiction to compel the production of the information
[emphasis added]
The key issues in this paragraph are twofold:
a) what is the impact, on an international level, of the use of the wording ‘subpoena,
warrant or order’?
b) what is the impact of the reference to ‘a person or body with jurisdiction’?
Section 33(e) does not mandate that such subpoenas, warrants or orders must have been
issued or made by a Canadian court, person or body. Nor does the subsection mandate that the
person or body with jurisdiction must be a Canadian court. As discussed in the decisions of
Morguard57 and Beals58, jurisdiction can be afforded to any body with a ‘real and substantial’
connection to the subject matter or the parties. This may be contrasted with the disclosure
provisions of s.33(d) or (d.1)(ii) of FOIPP, for example, that speak specifically to an enactment
of British Columbia or Canada. By leaving the definition of jurisdiction open (there is no
statutory definition of jurisdiction in Schedule 1), while noting in other subsections the
requirement of Canadian jurisdiction, one could infer that the authors of the B.C. FOIPP Act
intended to leave the definition of ‘jurisdiction’ open and flexible to advances in the common
law. As noted previously, the common law currently recognizes the primacy of comity and
reciprocity, and thus, one could infer that “a subpoena, warrant or order issued or made by a
court, person or body with jurisdiction” could, and should, refer to a court sanctioned request
for information originating from a foreign body with appropriate jurisdiction.
56
57
58
Alberta (s.40(1)(g)); Manitoba (s.44(1)(m)); Newfoundland (s.39(1)(e)); Nova Scotia (s.27(e)); Northwest
Territories (s.48(n)); Nunavut (s.48(n)); Prince Edward Island (s.37(1)(f));Saskatchewan (s.292)(b); Yukon
(s.36(e)).
Supra note 8.
Supra note 17.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 23
There are no orders of the Commissioner interpreting s.33(e), nor any interpretative
guidance provided by the government; accordingly, as was the case with the ‘security
provisions’, guidance is sought through an examination of other jurisdictions.
Alberta
The Alberta Freedom of Information and Protection of Privacy Guidelines and Practices59
provide an explanation of the disclosure provision as it appears in the Alberta privacy legislation
under s. 4060:
…disclosure may be made…
•
to any other person in response to a FOIP request; as a
disclosure in the public interest (section 32); when the
disclosure would not be an unreasonable invasion of
privacy (section 40(1)(b)), or when section 40 of the Act
specifically allows the disclosure;
•
to other public bodies, to legislative, legal and judicial
officers, to other levels of government, or to nongovernment organizations. The disclosure may take place
to support the activities of either the public body
disclosing the information or the party to which it is
disclosed.
…This provision permits personal information to be disclosed in
order to comply with legal processes that require the production
of information. These processes include the use of a subpoena,
warrant or order issued or made by a court, person or body
having jurisdiction to compel the production of information, or
with a rule of court that relates to the production of information…
A review of this interpretative material suggests that, as with the security provisions of
privacy legislation, the fair and reasonable standard is used to establish what constitutes an
authorized or unauthorized disclosure and under what circumstances, generally, compliance with
legal processes will not be considered a breach of privacy. Important to note is the lack of any
reference to territorial jurisdiction in s. 40(1)(g) 61; instead, reference to disclosure under the
59
60
61
Available online at: http://www3.gov.ab.ca/foip/guidelines_practices/2002/index.cfm (Guidelines and Practices,
2002 edition) see, in particular, Chapter 7: Protection of Privacy (Accessed July 12, 2004).
RSA 2000, C.F.-25 s1. 40(1) A public body may disclose personal information only…
40 (1)(g) for the purpose of complying with a subpoena, warrant or order issued or made by a court, person or
body having jurisdiction to compel the production of information or with a rule of court that relates to the
production of information,
Ibid.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 24
auspices of the legislation of Alberta or Canada are referenced specifically62. Arguably, one
could interpret this provision to suggest that s. 40(1)(g), by deliberately lacking any reference to
territorial jurisdiction, where other subsections expressly do so, actually purports to represent a
legislative mechanism for such an extraterritorial disclosure.
Manitoba
Manitoba’s privacy legislation contains a similar subsection regarding the disclosure of
personal information for the purpose of complying with various legal orders63.
44(1) A public body may disclose personal information only,
…(m) for the purpose of complying with a subpoena, warrant or
order issued or made by a court, person or body with jurisdiction to
compel the production of information or with a rule of court that
relates to the production of information
…(r) for law enforcement purposes or crime prevention
The Manitoba legislation appears to provide for a broad spectrum of law enforcement
applications for information disclosure, particularly subsection (r) as a potentially limitless
“crime prevention” component. It may be arguable that the existence of subsection (s), and its
direct reference to treaties or foreign bodies, suggests that all other subsections should be
interpreted to relate to Canadian jurisdiction64. However, the exhaustive number of subsections
under s. 44(1) also suggests that each should be read and interpreted individually, with the
extensive nature of subsections accurately conveying the totality of relevant exceptions at face
value. Therefore, the Manitoba legislation can be said to be synchronized with Canadian
jurisprudence, allowing for both the recognition of international jurisdiction through comity (sub.
m) as well as respect for international treaties (sub. s(ii)).
Saskatchewan
The relevant ‘disclosure’ provisions of the Freedom of Information and Protection of
Privacy Act65 are as follows:
62
s. 40(1)
63
64
65
(e) for the purpose of complying with an enactment of Alberta or Canada or with a treaty, arrangement
or agreement made under an enactment of Alberta or Canada,
(f) for any purpose in accordance with an enactment of Alberta or Canada that authorizes or requires the
disclosure,
The Freedom of Information and Protection of Privacy Act, S.M. 1997, c.50.
s. 40(1)(s) if the public body is a law enforcement agency and the information is disclosed to
(i) another law enforcement agency in Canada, or
(ii) a law enforcement agency in a foreign country under an arrangement, written agreement, treaty or
legislative authority;
S.S. 1991, c.F-22.01.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 25
29.(1) No government institution shall disclose personal
information in its possession or under its control without the
consent, given in the prescribed manner, of the individual to whom
the information relates except in accordance with this section or
s.30
(2) Subject to any other Act or regulation, personal information in
the possession or under the control of a government institution may
be disclosed:…
…(b) for the purpose of complying with: a subpoena or warrant
issued or order made by a court, person or body that has the
authority to compel the production of information; or
rules of court that relate to production of information…
…(h.1) for any purpose related to the detection, investigation or
prevention of an act or omission that might constitute a terrorist
activity as defined in the Criminal code, to:…
(i) the Government of Canada or its agencies, Crown
corporations or other institutions;
(ii) the government of another province or territory of
Canada, or its agencies, Crown corporations or other
institutions;
(iii) the government of a foreign jurisdiction or its
institutions;
(iv) an international organization of states or its institutions;
or
(v) a local authority as defined in the regulations;
Section 29(2)(b) of the Saskatchewan privacy legislation is similar to those provisions of
other provinces dealing with subpoenas, warrants or orders inasmuch as it would require similar
interpretation as to whether a foreign jurisdiction fell within that description. However,
s.29(2)(h.1) subs (iii) and (iv) explicitly provides for the permissible disclosure of information to
foreign bodies in an effort to combat terrorism. The inclusion of this provision takes
Saskatchewan’s legislation to the forefront of international anti-terrorism co-operation and
provides the highest level of international reciprocity with respect to cross-border assistance in
the investigation of terrorist-related criminal matters.
With such a provision included within its legislation, an order under the Patriot Act
could scarcely be considered an unauthorized disclosure when such orders are made directly in
response to terror-centred investigations and security compliance66.
66
http://www.lifeandliberty.gov/patriot_overview_pversion.pdf (accessed July 12, 2004); a US department of
Justice page outlining the purpose, congressional history, stories and articles regarding the USA PATRIOT Act.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 26
Federal Personal Information Protection and Electronic Documents Act (PIPEDA)67
Federal privacy legislation also contains disclosure provisions which make specific
reference to
s. 7 (3) For the purpose of clause 4.3 of Schedule 168…an
organization may disclose personal information without the
knowledge or consent of the individual only if the disclosure is…
…(c) required to comply with a subpoena or warrant issued or an
order made by a court, person or body with jurisdiction to
compel the production of information, or to comply with rules of
court relating to the production of records;
(c.1) made to a government institution or part of a government
institution that has made a request for the information, identified
its lawful authority to obtain the information and indicated that
(i) it suspects that the information relates to national
security, the defence of Canada or the conduct of
international affairs,
(ii) the disclosure is requested for the purpose of enforcing
any law of Canada, a province or a foreign jurisdiction,
carrying out an investigation relating to the enforcement of
any such law or gathering intelligence for the purpose of
enforcing any such law, or
(iii) the disclosure is requested for the purpose of
administering any law of Canada or a province;
Although section c.1 suggests that a formal request must be made by a foreign
jurisdiction to a Canadian government institution, it does not mandate that the either party is
required to inform those persons or groups, whose private information forms the content of the
request, that such information has been disclosed. In this way, one of the major concerns
regarding a Patriot Act order (that neither the Federal body nor the body disclosing private
information inform the party whose information is being transferred) is not mitigated by the
inclusion of a Canadian authority. In this way, some of the concerns regarding s. 215 of the
Patriot Act, noted in the affidavit of J. Jaffer69, cannot be the basis of conflict between Canadian
Privacy laws and the Patriot Act.
67
68
69
Supra note 33.
4.3 Principle 3 -- Consent
J. Jaffer, Affidavit #1. Sworn, Feb. 23, 2004, in the matter of British Columbia Government & Services
Employees’ Union (petitioner) v. The Minister of Health Services & Medical Services Commission
(respondents), British Columbia Supreme Court, Victoria Registry No. 04-0879.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 27
Bill C-7: the Public Safety Act70
In response to the events of September 11, 2001, the Federal Government has developed
the Public Safety Act, which proposes amendments to several federal laws including the
Aeronautics Act71. There has been debate regarding the amendment, specifically with respect to
the disclosure without consent provisions. According to a summary of the amendments to the
Aeronautics Act of the Bill72:
Section 4.82 … authorizes the Commissioner of the Royal
Canadian Mounted Police (RCMP), the Director of the Canadian
Security Intelligence Service (CSIS), and the persons they
designate, to require certain passenger … from air carriers and
operators of aviation reservation systems, to be used and disclosed
for transportation security purposes; national security
investigations relating to terrorism; situations of immediate threat
to the life or safety of a person;
Section 4.82 authorizes the Commissioner of the RCMP to
designate persons to receive and analyze the information provided
… to match it with any other information under the control of the
RCMP. …
Persons designated by the Commissioner or Director may disclose
any information provided under the provision, and any information
obtained as a result of matching the information with other
information, to each other.
Under this proposed legislation, information from passenger airlines can be collected by
Canadian Federal agencies, passed to one another, and passed on to other agencies they deem
appropriate. Similar to the subsections noted previously in the Federal PIPEDA, information
may be disclosed to authorities of foreign jurisdictions without any notification to those whose
private information is the subject of disclosure. Additionally, according to the Ministry of Public
Safety and Emergency Preparedness web site:
“A consequential amendment to the Personal Information and
Protection and Electronic Documents Act (PIPEDA) is required to
recognize that national security involves collaboration and the
cooperation between government at all levels and the private
70
71
72
Royal Assent, May 6, 2004; Statutes of Canada 2004, c. 15.
R.S.C, 1985, c. 33.
Located
on
the
Libraries
of
Parliament
web
site
at
http://www.parl.gc.ca/common/Bills_House_Government.asp?Language=E&parl=37&Ses=3 (accessed July 15,
2004)
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 28
sector community. The amendment provides assurance to
businesses that they can assist national security without concern
about breaching PIPEDA.”73
The language of this interpretive passage notes explicitly that collaboration and cooperation between governments of all levels are required to address the dangers of terrorism. In
doing so, there is a planned amendment to PIPEDA to allow this to occur and to ensure that
businesses can continue with their current practices and not infringe on the federal legislation.
A review of the above legislation regarding subpoena, warrants and orders suggests that
these mechanisms for disclosure, according to the disclosure without consent provisions, should
be interpreted at face value, as they are written in the statutes.
In light of a review of privacy disclosure provisions, and the current and further availability of
personal information through such federal channels, it is unlikely that orders for information
under the Patriot Act would be considered a risk to B.C. privacy laws.
The position of the BCGSEU, in its petition, is that the contracting of services proposed
by the B.C. Medical Services Commission will unnecessarily, and in contravention of provincial
privacy laws, expose B.C. residents to unauthorized disclosures of personal information; that is,
disclosure without consent not covered under the B.C.’s FOIPP Act. The circumstances that
would constitute a violation of the FOIPP Act originate from the powers vested in the FBI under
the Patriot Act, the location of the data processing service, and the belief that by outsourcing this
information becomes vulnerable to disclosure.
The position of the BCGSEU, as suggested in their petition, is that compliance with
B.C.’s FOIPP Act necessitates non-disclosure pursuant to an order of the Patriot Act (or similar
Federal statute) while, in contrast, it is permissible to disclose the same information by any order,
subpoenas, or warrant that may be issued by a Canadian authority. The authors not share this
position and suggests that such an interpretation is not supported by the above review of a
sample of similar provincial privacy laws
The notion that disclosure and security requirements may be violated under such an
outsourcing arrangement is only valid if the Patriot Act provides a mechanism by which the US
Federal authorities can obtain private information in such as way that is contrary to the
previously reviewed Canadian exceptions to disclosure without consent. Having reviewed the
language of several privacy acts, and by interpreting ‘subpoenas, warrants and orders’ as they are
written, the nature of an order under the Patriot Act does not violate the B.C. disclosure without
consent provisions.
73
http://www.psepc-sppcc.gc.ca/publications/policing/c7_e.asp (accessed July 15, 2994)
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 29
Summary:
•
A review of the above legislation regarding subpoena, warrants and orders suggests that
these mechanisms for disclosure, according to the disclosure without consent provisions,
should be interpreted at face value, as they are written in the statutes.
•
The B.C. FOIPP Act is not infringed by a disclosure of the nature obtain under a Patriot
Act order as the meaning of ‘subpoena, warrant or order’ mechanism provided above
must be taken at face value and, therefore, represents an acceptable disclosure by statute.
V.
MODELS FOR MITIGATING RISK
Mutual, multinational co-operation on privacy issues, founded on the principles of comity
and reciprocity, is vital to continued commercial activity. Current inter-governmental
models provide guidance for such cross-border sharing of information that can eliminate
or mitigate risks regarding compliance with Canadian law.
Canada and the United States share the world’s largest trading relationship, one that is
vital to our economy with 78 per cent of total Canadian exports and 68 per cent of total Canadian
imports occurring between the two74. With this magnitude of trade and economic integration
comes a need for co-operation and reliance in the management and facilitation of transactions.
The efficacy of such co-operation could be damaged by the extraterritorial expansion of laws
from one jurisdiction, as forwarded by the BCGESU petition.
Canada and the US have acting bodies for Antitrust-Competition, Securities,
Energy/Electricity, etc., that have a long history of co-operation in investigating, monitoring and
sharing that allow North America to function more efficiently as an economic unit. The authors
respectfully submit that both the Provinces and the Federal Government should work to adopt a
relationship with respect to privacy that follows the prescriptive comity and reciprocity modelled
by these bodies.
Following the global trend of the internationalization of commerce, the regulation of
antitrust/competition and securities has taken on an increasingly international dimension. To
ensure the validity of Canada’s economic position, enforcement of Canadian competition and
securities laws has, therefore, become dependent on:
i) co-operation among multiple levels of regulatory agencies in the enforcement of their
laws; and
74
Canada Department of Foreign Affairs and International Trade - Trade and Economic Analysis Division. Fifth
Annual
Report
on
Canada’s
State
of
Trade
(May
2004).
http://www.dfaitmaeci.gc.ca/eet/trade/sot_2004/sot_2004-en.asp
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 30
ii) the adoption of principles of positive comity to avoid or mitigate disputes arising from
conflict of laws situations.
Following these guidelines, the current trend in transnational regulators is toward greater
co-operation and the creation of new legal and practical relations for businesses with multinational operations. This model can and should be adapted for privacy regulators.
How are the principles of Comity and Reciprocity manifest at the level of international cooperation?
An examination of the above factors suggests, practically speaking, that a conversation
regarding the physical location of documents or the accessibility of access to such records
through computer terminals may miss the point and run counter to current trends in information
gathering and cross-border communication. Currently, legislation exists to assist in the crossborder facilitation of the investigation of Antitrust/Competition violations75. Additionally, the
Supreme Court of Canada recognizes the need for cross-border interplay of regulators based on
principles of comity to ensure the free flow of people, materials, and ideas76.
Within the common law, the Supreme Court decision Global Securities Corp. v. British
Columbia (Securities Commission)77 found that principles of reciprocity required registered
brokers in the province to produce records to assist in the administration of securities laws of
another jurisdiction, that being the Securities Exchange Commission (SEC) of the U.S. Having
entered a Memorandum of Understanding with the SEC, the B.C. Securities Commission agreed
to provide the “fullest mutual assistance” in obtaining documents and taking evidence, from
parties under investigation, when requested by the other signatory. In response to a challenge to
s. 141(1)(b) of the province’s Securities Act78, the court held that the dominant purpose of the
provision was the effective regulation of domestic securities. In order to ensure that such
effective regulation continued, by ensuring that the B.C. regulator could expect such cooperation from its US counterpart, it was incumbent on the B.C. Securities Commission to
reciprocate, as s. 141(1)(b) enables it to do so.
At the legislative level, the Government of Canada and provincial authorities have
adapted their approach to the administration and enforcement of international laws through the
implementation of co-operation agreements and other co-operative tools. Antitrust/Competition
law provides a particularly strong example of how Canada and the US can work together to
secure their respective competitive economies, while perusing individual legislative direction
specific to their different economic situations.
75
76
77
78
Mutual Legal Assistance in Criminal Matters Act. R.S.C., 1985, c. 30. An Act to provide for the implementation
of treaties for mutual legal assistance in criminal matters and to amend the Criminal Code, the Crown Liability
Act and the Immigration Act.
Supra notes 15 (Hunt) and 17 (Beals).
[2000] 1 S.C.R. 494.
Section authorizing the B.C. Securities Commission’s executive director to order a registrant to produce records.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 31
The development of Bilateral Co-operation Instruments allows the Competition Bureau to
co-operate with foreign antitrust agencies, such as the US Federal Trade Commission (FTC) in
the surveillance, evidence gathering and prosecution of activities such as international cartels.
Such instruments include (a) co-operation agreements; and (b) mutual legal assistance treaties79.
Co-operation Agreements, including State-to-State enable communication of complaints
or investigation-based information as long as the provision of such information to a foreign
authority is not prohibited under Canadian law. Within such agreements, provisions may be
made for individual Agency-Agency Co-operation Arrangements, thereby providing a more
regional and specific application of principles of reciprocity between jurisdictions. Some of the
mechanisms used include conferences and bilateral meetings to develop a better understanding of
each jurisdiction’s priorities and concerns80.
At the international level the development of a strong relationship of reciprocity can
occur under Mutual Legal Assistance Treaties ("MLAT"). MLATs are treaty-based mechanisms
that imposes binding legal and administrative obligations on signatory countries81. Unlike the
previously mentioned co-operation agreements, responses to foreign requests for assistance
under MLATs are a formal process subject to ministerial and court authorization in Canada82.
This court authorization is performed under Canada's legislation the Mutual Legal Assistance in
Criminal Matters Act83, which is also responsible for the implementation of Canadian MLAT
obligations.
How can those parties involved in regulating the flow and sharing of information find a
balance between free-flow of information for commercial purposes, and the safeguarding of
private information?
One model that could serve as a basis for discussions regarding a balance between
privacy laws and commercial activity are the guidelines of the Office of the Superintendent of
Financial Institutions (OSFI)84 on outsourcing. The OSFI is the federal body responsible for the
regulation and supervision of all banks, all federally incorporated or registered trust and loan
79
80
81
82
83
84
M. Sullivan & J. Filion, “The Basics of International Cartel Enforcement in Canada” A paper prepared for the
Osgoode Hall Continuing Legal Education Program: Canada’s Competition Regime: Thinking Strategically A
Practical Guide for Business. Osgoode Hall Law School, York University, January 14, 2004. Available from
The Canadian Competition Bureau web site at http://www.cb-bc.gc.ca/ (accessed July 12, 2004).
Ibid. at pg. 9.
Ibid. at pg. 10. Generally, the primary purpose of MLATs is to seek evidence, located in the other jurisdiction, of
criminal activity, as defined in the requesting jurisdiction.
Ibid. at pg. 11.
R.S.C. 1985, c. 30 (4th Supp.).
The Office of the Superintendent of Financial Institutions (OSFI) is the primary regulator of federally chartered
financial institutions and federally administered pension plans, reporting to the Minister of Finance. It was
established in 1987 by an Act of Parliament, the Office of the Superintendent of Financial Institutions Act, R.S.
1985, c. 18 (3rd Supp.).
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 32
companies, insurance companies, and pension plans. This body has established guidelines for
processing in foreign jurisdictions which include:
(i)
due diligence processes that address the nature and scope of sourced
information, commercial arrangements and management of activity;
(ii)
materiality assessment;
(iii)
risk management program;
(iv)
monitoring and oversight by superintendent;
(v)
compliance with legislation requirements.
The safeguarding of information can be done by maintaining and enforcing strong
domestic laws regarding privacy; however, as the OFSI guidelines demonstrate, this security can
be managed efficiently and strong commercial outsourcing contracts need not come at the
expense of increased risk, nor unwarranted invasions of privacy85.
For example, the extraterritorial application of laws governing trade and securities are
central to the workings of these markets based on their inherent international scope. Some
mechanism must exist for the enforcement of Canadian laws when the parties and perhaps all of
the Actus Reus of prohibited activities occurs outside Canadian territory. This position may be
summarized best by the statement:
“…some extraterritorial reach may be essential to avoid allowing
the transnational character of a business character to remove it
from the ambit of a state’s law.”86
These steps have been taken in the antitrust/competition law arena, where differences in
national economic policy dictate differences in national trade regulation. Under such a system, it
is entirely foreseeable that behaviour that is per se illegal in the US and subject to criminal
sanctions could be civilly reviewable, or even legal, in Canada. Therefore, in an effort to ensure
the competitive nature of our economy the Federal Government has enacted law to ensure that
the appropriate Minister addresses requests for information/disclosure, with the appropriate
security measures at his/her disposal87.
85
86
87
OSFI Guidlelines: Outsourcing of Business Activities, Functions and Processes, section 8, Data processing in
Foreign jurisdictions; Document No. 10- Processing Information Outside Canada. Available at http://www.osfibsif.gc.ca/eng/publications/guidance/index_standards.asp#b8_banks (accessed July 16, 2004).
Ibid. at pg. 306.
Foreign Extraterritorial Measures Act, R.S.C. 1985, c. 49.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 33
Ensuring that information is adequately protected is a key requirement to providing any
information to a competition authority, in another jurisdiction, under the previously mentioned
State-to-State agreements88. The co-operation arrangements include provisions related to the
communication and protection of any confidential information that is communicated between
Canada and such foreign agencies. At the MLAT level, a request for information from a foreign
jurisdiction does not require that the conduct under investigation be the subject of a parallel
investigation by Canadian authorities, nor does it require that the conduct of the investigation be
an illegal, or civilly reviewable, activity in the jurisdiction from which the information is sought.
Therefore, the Competition Bureau of Canada may responded to MLAT requests from foreign
jurisdictions where there is no implication of a breach of Canadian law89. In order to ensure that
the flow of information between jurisdictions is appropriate, the Minister of Justice acts as
Canada's "central authority" in the administration and exercise of powers under MLATs90.
The similarity between this type of information exchange and the privacy law dilemma is
remarkable; one relates to transnational economic information and important evidentiary
information (Competition Bureau) while the other potentially relates to transnational security
information (privacy implications of Patriot Act disclosures). It seems intuitive that cross-border
disclosures of private information could be orchestrated according to the above noted principles,
cognisant of recognized and nationally-supported public policy objectives.
VI.
CONCLUSIONS
Once more, the authors would like to thank the Information and Privacy Commissioner
for this opportunity to submit its views.
In summary, we respectfully submit that Canadian jurisprudence has, and will continue to
support an interpretation of international law placing inherent limitations on the extension of its
own prescriptive jurisdiction based on the presumptions of equality and sovereignty of nations.
With the Supreme Court of Canada expanding the relevance of comity as a guiding principle for
international business, we hope that the Privacy Commissioner of BC will also seek to ensure the
security of transnational relations and cross border transactions by adopting a similar forwardthinking interpretation of provincial law.
With respect to the appropriate security provisions, an application of the “fair and
reasonable person” test, also adopted by multiple jurisdictions, will assist in the mitigation of risk
through a consideration of physical and administrative safeguards. These safeguards, including
88
89
90
Supra note 80.
Ibid. at pg. 12.
“When the Minister of Justice receives an MLAT request from another jurisdiction, the Minister of Justice will
decide whether to grant the request and send it to the relevant investigative agency, known in the jargon as the
"competent authority" for action on a best efforts basis...” Ibid.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 34
those for transfer to a third party, should not be based on the jurisdiction of parties obtaining the
information; rather, they should be assessed according to the nature of the information. We
submit that the imposition of information transfer restrictions, based on the geographic or
legislative destination would be an inappropriate policy-based decision that could have severe
implications, not only for B.C. and its commercial dealings in North America, but also for other
Canadian provinces.
Instead, it is our hope that the current trends in transnational regulation of commerce and
information flow continue towards the goals of greater co-operation and the creation of new legal
and practical relations for multi-national business.
Jeffrey A. Kaufman, LL.B., Richard D. Butler, Law Student
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
Page 35
SCHEDULE A
Public Sector Privacy Legislation
Jurisdiction
Legislation
“Protection of Personal
Information”
Alberta
Freedom of
Information and
Protection of
Privacy Act,
R.S.A. 2000,
C.F.-25
38.(1) The head of a public body
must protect personal information by
making reasonable security
arrangements against such risks as
unauthorized access, collection, use,
disclosure or destruction.
B.C.
Freedom of
Information and
Protection of
Privacy Act,
R.S.B.C. 1996,
c.165
30. The head of a public body must
protect personal information in the
custody or under the control of the
public body by making reasonable
security arrangements against such
risks as unauthorized access,
collection, use, disclosure or disposal.
Manitoba
The Freedom of
Information and
Protection of
Privacy Act, S.M.
1997, c.50
41. The head of a public body shall,
in accordance with any requirements
set out in the regulations, protect
personal information by making
reasonable security arrangements
against such risks as unauthorized
access, use, disclosure or destruction.
(There are no requirements set out in
the regulations)
New Brunswick
Protection of
Personal
Information Act,
S.N.B. 1998, c.P19.1
Schedule A – The Statutory Code of
Practice
Principle 7-Safeguards: Personal
information shall be protected by
safeguards appropriate to the
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
“Disclosure of Personal
Information Without
Consent”
40.(1) A public body may disclose
personal information only
…
(g)
for the purpose of complying
with a subpoena, warrant or order
issued or made by a court, person or
body having jurisdiction to compel the
production of information or with a
rule of court that relates to the
production of information
33. A public body must ensure that
personal information in its custody or
under its control is disclosed only
…
(e)
for the purpose of complying
with a subpoena, warrant or order
issued or made by a court, person or
body with jurisdiction to compel the
production of information.
44.(1) A public body may disclose
personal information only
…
(m)
for the purpose of complying
with a subpoena, warrant or order
issued or made by a court, person or
body with jurisdiction to compel the
production of information or with a
rule of court that relates to the
production of information
…
(r)
for law enforcement purposes
or crime prevention [Note to draft:
check as per text issue]
Schedule A – The Statutory Code of
Practice
Principle 3 – Consent: The consent of
the individual is required for the
collection, use or disclosure of
Page 36
sensitivity of the information.
Schedule B – Interpretation and
Application of the Statutory Code of
Practice
Principle 7: The safeguards to be
adopted include training and
administrative, technical, physical and
other measures, as appropriate in the
circumstances, and include safeguards
that are to be adopted when a public
body discloses personal information to
a third party or makes arrangements
for a third party to collect personal
information on its behalf.
Newfoundland
and Labrador
Access to
Information and
Protection of
Privacy, S.N.
2002, c.A-1.1 (not
in force)
36.(1) The head of a public body shall
protect personal information by
making reasonable security
arrangements against such risks as
unauthorized access, collection, use,
disclosure or disposal.
Nova Scotia
Freedom of
Information and
Protection of
Privacy Act,
S.N.S. 1993, c.5
24(3). The head of the public body
shall protect personal information by
making reasonable security
arrangements against such risks as
unauthorized access, collection, use,
disclosure or disposal.
Northwest
Territories
Access to
Information and
Protection of
Privacy Act,
S.N.W.T. 1994,
c.20
42. The head of a public body shall
protect personal information by
making reasonable security
arrangements against such risks as
unauthorized access, collection, use,
disclosure or disposal.
Nunavut
Access to
Information and
Protection of
Privacy Act
(Nunavut),
S.N.W.T. 1994,
c.20
42. The head of a public body shall
protect personal information by
making reasonable security
arrangements against such risks as
unauthorized access, collection, use,
disclosure or disposal.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
personal information, except where
inappropriate.
Schedule B – Interpretation and
Application of the Statutory Code of
Practice
3.4. Consent is not required when a
public body collects, uses or discloses
personal information
(a) to protect the health, safety or
security of the public or of an
individual,
(b) for purposes of an investigation
related to the enforcement of an
enactment,
…
(f) as required or expressly authorized
by law.
39.(1) A public body may disclose
personal information only
(e)
for the purpose of complying
with a subpoena, warrant or order
issued or made by a court, person or
body with jurisdiction to compel the
production of information.
27. A public body may disclose
personal information only
(e)
for the purpose of complying
with a subpoena, warrant, summons or
order issued or made by a court,
person or body with jurisdiction to
compel the production of information.
48. A public body may disclose
personal information
(n) for the purpose of complying with
a subpoena or warrant issued or an
order made by a court, person or body
that has the authority to compel the
production of information or with a
rule of court that relates to the
production of information.
48. A public body may disclose
personal information
(n)
for the purpose of complying
with a subpoena or warrant issued or
an order made by a court, person or
body that has the authority to compel
the production of information or with
a rule of court that relates to the
Page 37
production of information.
Ontario
Freedom of
Information and
Protection of
Privacy Act,
R.S.O. 1990, c.F31
Prince Edward
Island
Freedom of
Information and
Protection of
Privacy Act,
S.P.E.I. 2001,
c.37
Quebec
Saskatchewan
An act respecting
access to
documents held by
public bodies and
the protection of
personal
information,
R.S.Q. 1982, c.A2.1
Freedom of
Information and
Protection of
Privacy Act, S.S.
1990-91, c.F22.01
Ont. Reg 460-General, R.R.O 1990
4.(1) Every head shall ensure that
reasonable measures to prevent
unauthorized access to the records in
his or her institution are defined,
document and put in place, taking
account the nature of the information
to be protected.
35.(1) The head of a public body shall
protect personal information by
making reasonable security
arrangements against such risks as
unauthorized access, collection, use,
disclosure, disposal or destruction.
77.(1)(j) Regulation making powers
respecting technical standards and
safeguards to be observed for the
security and protection of personal
information – no regulations passed.
155.(5) The government may make
regulations fixing appropriate security
standards to ensure the confidentiality
of the information entered in a
personal information file.
37.(1) A public body may disclose
personal information only
(f)
for the purpose of complying
with a subpoena, warrant or order
issued or made by a court, person or
body having jurisdiction to compel the
production of information or with a
rule of court that relates to the
production of information.
No regulations.
This legislation contains no provisions
with respect to the type of ‘security’
that must be applied to the holding of
records. (In his recently released
Annual Report, the Privacy
Commissioner recommends that the
legislation be amended to incorporate
such provisions.)
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
29.(1) No government institution
shall disclose personal information in
its possession or under its control
without the consent, given in the
prescribed manner, of the individual to
whom the information relates except
in accordance with this section or s.30.
(2)
Subject to any other Act or
regulation, personal information in the
possession or under the control of a
government institution may be
disclosed:
…
(b)
for the purpose of complying
with:
a subpoena or warrant issued or order
made by a court, person or body that
has the authority to compel the
Page 38
Yukon
Access to
Information and
Protection of
Privacy Act,
R.S.Y. 2002, c.1
Federal
Privacy Act, s.C.
1980-81-82-83,
c.111, Sch.II”I”
Personal
Information
Protection and
Electronic
Documents Act,
2000, c. 5.
33. The public body must protect
personal information by making
reasonable security arrangements
against such risks as accidental loss or
alteration, and unauthorized access,
collection, use, disclosure, or disposal.
Clause 4.5 - Limiting Use, Disclosure,
and Retention
Personal information shall not be used
or disclosed for purposes other than
those for which it was collected,
except with the consent of the
individual or as required by law.
Personal information shall be retained
only as long as necessary for the
fulfilment of those purposes.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law
production of information; or
rules of court that relate to production
of information.
...
(h.1) for any purpose related to the
detection, investigation or prevention
of an act or omission that might
constitute a terrorist activity as
defined in the Criminal code, to:
…
(iii)
the government of a foreign
jurisdiction or its institutions.
36. A public body may disclose
personal information only
(e)
for the purpose of complying
with a subpoena, warrant, or order
issued or made by a court, person or
body with jurisdiction to compel the
production of information.
8.(2) Subject to any other Act of
Parliament, personal information
under the control of a government
institution may be disclosed.
…
(c)
for the purpose of complying
with a subpoena or warrant issued or
order made by a court, person or body
with jurisdiction to compel the
production of information or for the
purpose of complying with rules of
court relating to the production of
information.
Clause 4.3 - Consent
The knowledge and consent of the
individual are required for the
collection, use, or disclosure of
personal information, except where
inappropriate.
Page 39
Collection without knowledge or consent
7. (1) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may
collect personal information without the knowledge or consent of the individual only if
…
Use without knowledge or consent
(2) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may,
without the knowledge or consent of the individual, use personal information only if
…
Disclosure without knowledge or consent
(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may
disclose personal information without the knowledge or consent of the individual only if the disclosure is
…
(c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to
compel the production of information, or to comply with rules of court relating to the production of records;
(c.1) made to a government institution or part of a government institution that has made a request for the information,
identified its lawful authority to obtain the information and indicated that
(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,
(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction,
carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of
enforcing any such law, or
(iii) the disclosure is requested for the purpose of administering any law of Canada or a province;
...
(d) made on the initiative of the organization to an investigative body, a government institution or a part of a government
institution and the organization
(i) has reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws
of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, or
(ii) suspects that the information relates to national security, the defence of Canada or the conduct of international affairs;
…
Use without consent
(4) Despite clause 4.5 of Schedule 1, an organization may use personal information for purposes other than those for which
it was collected in any of the circumstances set out in subsection (2).
Disclosure without consent
(5) Despite clause 4.5 of Schedule 1, an organization may disclose personal information for purposes other than those for
which it was collected in any of the circumstances set out in paragraphs (3)(a) to (h.2).
2000, c. 5, s. 7, c. 17, s. 97; 2001, c. 41, s. 81.
© Copyright 2004, Jeffrey A. Kaufman LL.B and Richard D. Butler, Student-at-Law