The EU also decided that member states may authorize the transfer of personal information to countries which do not ensure an adequate level of protection through legislation, but which allow safeguards to be established through contractual clauses.
Further information about the Safe Harbor framework and the contracting guidelines is available at the U.S. Department of Commerce website www.export.gov/safeharbor.
3.5
Extra-territorial Application of Foreign Law
USA PATRIOT Act
The
USA PATRIOT Act, enacted by the U.S. Congress shortly after September 11, 2001, is anti-terrorism legislation that,
among things, expanded the intelligence-gathering and surveillance powers of law enforcement and national security agencies by amending the U.S.
Foreign Intelligence Surveillance Act (FISA). Section 215 of the
PATRIOT Act allows U.S. authorities to obtain records and other “tangible things” to protect against international terrorism. Section 218 of the Act requires that foreign intelligence gathering need only be “a significant purpose” of surveillance in the U.S., thus allowing the use of information for other, unrelated purposes. Section 505 of the Act expands the circumstances under which the FBI can compel financial institutions, telephone companies and Internet service providers to secretly disclose information about customers.
After the enactment of the PATRIOT Act, concerns were raised in Canada that these provisions could be used to order a corporation located in the U.S. to produce information obtained in the process of providing services under contract to a public body in Canada. In addition, it was suggested that these provisions could be used to compel information from an affiliate of a U.S. corporation located in Canada.
In 2006, the Information and Privacy Commissioner of Alberta issued a report on the risks presented by outsource practices of public bodies, and how the risks could be mitigated. The report recommended operational, contractual, and legislative measures. Recommended operational measures included a policy for retaining personal information in Canada, preferably in Alberta, with deviations only where program requirements, costs or security could not reasonably be met within Canada.
The recommended contractual provisions included prohibiting subcontracting without written consent, requiring notice of any demand for access or unauthorized access to personal information in the contractor’s custody, requiring monitoring and auditing rights, and addressing consequences for a breach.
The recommendations for legislative action to address outsourcing concerns included amending the FOIP Act to clarify that disclosure of personal information pursuant to a court order may be made only with respect to a Canadian court with jurisdiction, and increasing the penalties for a breach.
The FOIP Act was amended in 2006 to address concerns about access to personal information by foreign law enforcement authorities. This amendment makes it clear that a public body, and anyone acting on its behalf, may disclose personal information in response to a subpoena, warrant or order of a court or tribunal, or to comply with a court rule, only if the court or tribunal has the power in Alberta to require the public body to disclose the information. A court or tribunal of another country or of a province or territory of Canada other than Alberta does not have jurisdiction in Alberta. However, an order of such a court or tribunal may be enforceable in Alberta under legislation of Alberta that provides for the reciprocal enforcement of orders (for example, Alberta’s Interprovincial Subpoena Act), or a court procedure that makes an order filed with a court in Alberta enforceable as an order of the Alberta court.
Intentionally disclosing personal information to a foreign court is now an offence under the FOIP Act, and is subject to a penalty of between $200,000 and $500,000 (section 92(3) and (4)).
Public bodies should address demands for information by courts in their contracts. A public body’s contract with a principal contractor should also require the contractor to bind its subcontractors and employees to not disclose personal information in response to a subpoena, warrant or order of a court or tribunal without the express permission of the public body.
In addition, the contract should require the contractor to inform the public body if any subpoena, warrant or order is issued to the contractor or any person acting on behalf of the contractor, even if the subpoena, warrant or order, or the legislation governing the issuing court or tribunal, requires secrecy.
Public bodies should seek legal advice regarding contracts with organizations that are subject to U.S. law.
