1 / 24

Cross-Border Privacy Issues in the Era of the USA PATRIOT Act Presentation to Toronto Computer Lawyers Group January 3

2. From 30,000 Feet to the Airport Runway. 30,000 feet: Contextualizing the Patriot Act issue20,000 feet: Understanding the current regulatory requirements10,000 feet: Identifying the response in the marketplaceGround level: Advising clients/negotiating contracts . 3. 30,000 Feet (cont.). Wh

teddy
Download Presentation

Cross-Border Privacy Issues in the Era of the USA PATRIOT Act Presentation to Toronto Computer Lawyers Group January 3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Cross-Border Privacy Issues in the Era of the USA PATRIOT Act Presentation to Toronto Computer Lawyers’ Group January 31, 2008 By: Michael Fekete Osler, Hoskin & Harcourt LLP

    2. 2 From 30,000 Feet to the Airport Runway 30,000 feet: Contextualizing the Patriot Act issue 20,000 feet: Understanding the current regulatory requirements 10,000 feet: Identifying the response in the marketplace Ground level: Advising clients/negotiating contracts

    3. 3 30,000 Feet (cont.) What is the USA PATRIOT Act and why has it become a privacy issue? US legislation designed to assist law enforcement investigate terrorist and criminal activities Amended pre-existing US laws First became an issue in Canada due to 2004 legal challenge by a union to outsourcing by the Province of BC Subsequent privacy debate has expanded to address trans-border data flows in the context of public and private sector activities

    4. 4 30,000 Feet (cont.) What are the privacy issues? Data hosted in, processed in, or transferred to another country is subject to the laws of that country Whether data in Canada accessible from the foreign country is subject to laws of that country Whether data processed in Canada by foreign entity or its local affiliate is subject to laws of the foreign country Scotiabank case in US eBay case in Canada Whether (or in what circumstances) the privacy risks warrant keeping data in Canada and/or processing it “in-house”

    5. 5 20,000 Feet The Regulatory Environment Public Sector Privacy Laws British Columbia (Amendments to BC’s FOIPPA: Bills 73, 16 and 30) BC public bodies and their service providers must not store, access or disclose outside of Canada personal information controlled by public bodies Restrictions apply to virtually all personal information without taking into account the sensitivity or amount of the information Limited exceptions include: Consent of individual Business contact information Laptops (limited circumstances) Systems maintenance/data recovery Out-of-country access/storage must be “necessary” Temporary access/storage only for minimum time necessary Service provider may require public body approval

    6. 6 20,000 Feet (cont.) Public Sector Privacy Laws Nova Scotia (Personal Information International Disclosure Act) Adopts across-the-board geographic restrictions similar to BC Applies to public bodies and their service providers Head of a public body has authority to override geographic restrictions if storage or access “is to meet the necessary requirements of the public body's operation”

    7. 7 20,000 Feet (cont.) Public Sector Privacy Laws Alberta (Alberta’s FOIP Act: Bill 20) New offence: No one (including service providers) may wilfully disclose public body controlled personal information to a court with no jurisdiction in Alberta May create across-the-board geographic restriction Conflict of laws: Service providers processing data outside of Alberta could face choice of complying with Alberta laws or laws in the jurisdictions in which they operate or store data

    8. 8 20,000 Feet (cont.) Public Sector Privacy Laws Quebec (Quebec’s Act respecting Access to documents held by public bodies and the protection of personal information: Bill 86) Public bodies must ensure that personal information entrusted to a service provider outside of Quebec receives equivalent protection

    9. 9 20,000 Feet (cont.) Public Sector Privacy Laws Federal Government Treasury Board Guidance Document: Taking Privacy into Account Before Making Contracting Decisions (March 2006): risk management framework (emphasis on “make or buy” decisions and contractual protections) risk assessment to consider: sensitivity of the information expectations of the individual probability and gravity of injury

    10. 10 20,000 Feet (cont.) Public Sector Privacy Laws Personal Health Information BC’s FOIPPA applies to health authorities and hospitals Ontario Personal Health Information Protection Act creates general restriction disclosure outside of Ontario by custodians and agents

    11. 11 20,000 Feet (cont.) Private Sector Privacy Laws Federal (PIPEDA) Does not address trans-border data flows Guidance from the Privacy Commissioner (Case summaries 313, 333, 365) Data flows to service providers are “transfers” (rather than “disclosures” to which an individual’s consent is required) Subject to the “reasonableness” requirement, PIPEDA does not prohibit organizations from: using foreign-based service providers off-shoring data processing PIPEDA does require that: notice be given to individuals of (i) the off-shoring and (ii) the potential privacy implications How specific? When? comparable level of protections using contractual or other means

    12. 12 20,000 Feet (cont.) Private Sector Privacy Laws Quebec (Bill 86) Personal information cannot be transferred outside Quebec if the information will not receive the same protection as under Quebec law in respect of use and disclosure organizations need to consider likely impacts of foreign laws Disclosure to comply with laws is now restricted to Quebec laws

    13. 13 10,000 Feet The Response in the Marketplace: The Impact on Outsourcing and IT Contracting Public Sector Deals Increasingly difficult to delivery services without a Canadian workforce and datacentre due to: Regulatory requirements RFP requirements (e.g., Ontario government RFPs often require data to be kept within Canada) Internal “Privacy Rules” adopted by public bodies

    14. 14 10,000 Feet (cont.) Public Sector Deals Non-legislative “Privacy Protection Measures” BC has created list of 52 privacy protection measures to be considered when negotiating service agreements with a US company or a Canadian company with a US parent Four categories: Technology and business processes (including audit and control procedures, audit trails for data access and ISO17799 compliance); Employee strategies (including direct agreements with service providers’ employees and utilization of employees of Canadian companies); Contractual measures (including liquidated damages in the event of disclosure, parent company guarantees, powers of attorney and broad termination rights); and Corporate structure (including Canadian incorporation and three layer corporate structure)

    15. 15 10,000 Feet (cont.) Public Sector Deals Corporate structure (e.g., Maximus transaction with BC government) Objective: insulate the personal information from the US parent company Operating companies formed in BC and owned by federally incorporated Canadian subsidiary of US parent All directors of the BC companies are Canadian citizens resident in British Columbia Maximus Canada’s shares in the BC companies are held in trust by a trust company in BC shares can be transferred to the government in the event of a privacy breach or an anticipated breach

    16. 16 10,000 Feet (cont.) Public Sector Deals Privacy Schedules (examples of concepts) One-size-fits-all Compliance with all current and future laws Compliance with privacy commissioner’s rulings/directions No collection of PI without authorization and/or consent No transmission of PI over the Internet (whether by email or otherwise) without authorization Retention of PI in Canada; no access from outside of Canada Contractual acknowledgement that service provider is not subject to USA PATRIOT Act Audit trail/user access logs

    17. 17 10,000 Feet (cont.) Private Sector Deals Privacy risk assessments are common General recognition of operational challenges created by keeping data in Canada General recognition that customer needs to pay for the safeguards it needs/wants Focus on using contracts to provide comparable level of protection

    18. 18 10,000 Feet (cont.) Online Services Many online servers are made available using datacentres outside of Canada Notice of out of country data storage is common Onus placed on customer to limit use of service to avoid regulatory compliance issue

    19. 19 Ground Level Advising Clients and Negotiating Deals Identify regulatory requirements public bodies in BC, Nova Scotia, Alberta and Quebec (and their service providers) personal health information notice to individuals comparable protections Undertake privacy risk assessment incidental access? data processing? sensitive data? contact information? nature of potential harm reasonableness/expectations of individual relevance to foreign law enforcement ability of foreign law enforcement to target information

    20. 20 Ground Level (cont.) Advising Clients and Negotiating Deals Consider non-contractual solutions anonymization of data technological measures Categorize the services type of services (e.g., support services / data processing) location of services (e.g., onsite / remote access) category of supplier (e.g., local supplier / global service delivery organization)

    21. 21 Ground Level (cont.) Advising Clients and Negotiating Deals Identify operational challenges for the customer and service provider consider who can best take responsibility e.g., training customer’s IT help desk or service provider’s global support team e.g., covenant by customer not to disclose (with process to address inadvertent disclosure to service provider) or detailed privacy protection measures Address the possibility of changes in laws obligation to comply who bears the costs termination rights Consider standard for “comparable level of protection”

    22. 22 Ground Level (cont.) Advising Clients and Negotiating Deals Identify privacy protection measures appropriate to the circumstances examples of protection measures: encryption access controls (such as through IDs and passwords) security of physical plants firewalls/server intrusion detection systems use of private networks to process data restrict use of floppy drives, CD burners, USB drives, etc. audit trail of access to data documented procedures for retaining and destroying data confidentiality agreements with employees

    23. 23 Ground Level (cont.) Advising Clients and Negotiating Deals examples of protection measures (cont.): data protection audits limit subcontracting without consent process/store/access data only in approved jurisdictions privacy impact assessments prior to systems changes commitment to provide notice for access request by law enforcement/courts (to the extent permitted by applicable law) commitment to challenge access request by law enforcement/courts (to the extent permitted by applicable law)

    24. 24 Take away messages Regulatory framework is evolving, with no shortage of “open” issues “Delivered in Canada” solutions are becoming more common “One-size-fits-all” privacy schedules often miss the mark Privacy assessments and context-specific legal advice are critical to advising clients and negotiating deals

More Related