The Impact of U.S. Law on Canadian IT Businesses

The Impact of U.S. Law on Canadian IT Businesses

Canadian information technology companies are players on a global stage. Few large information technology projects are restricted to only one country and any venture into electronic commerce invariably crosses borders. No ambitious Canadian IT company is content to narrow its sights to the domestic market. Lawyers advising these businesses have always had to maintain an awareness of legal developments elsewhere but the last few years have brought with them a range of new laws that affect their southward-looking clients. No area of law has seen as much change at that touching upon the protection of personal information.

The one law that has received the greatest publicity and, perhaps, the greatest scrutiny, is the USA Patriot Act, which was passed by the Congress within two months of the terrorist attacks of September 11, 2001. This law does not single out the technology industry but a number of its provisions have had a particular impact on cross-border services, regardless of the direction in which those services flow. Section 505 of the USA Patriot Act short-circuits ordinary search warrant requirements and allows the Federal Bureau of Investigation to have access to records such as financial records, credit reports, ISP logs and transactional records for intelligence, counter-intelligence and anti-terrorism purposes by use of a “national security letter”. The recipient of a national security letter is required to hand over the information requested and is specifically precluded from informing the individual concerned that the US government has sought access to the information. When information on Canadians is within the jurisdiction of the United States, privacy advocates fear that this information will be too-readily made available to law enforcement, who are able to dispense with the usual “probable cause” requirements. Information in the custody of a US company (or a subsidiary) in Canada may be within the Act’s jurisdiction.

In May of 2004, the Information and Privacy Commissioner of British Columbia initiated a public consultation on whether these provisions of the USA Patriot Act would infringe upon the privacy of British Columbians following an announcement by the BC Government that it would outsource the processing of medicare claims to a Canadian subsidiary of a US company. The request for submissions resulted in more than five hundred contributions from individuals and organizations throughout Canada.

As was pointed out in a number of submissions to the BC Commissioner, personal information has always been available for law enforcement, intelligence and anti-terrorism investigations, regardless of where the information actually resides. The principal effect of the BC Commissioner’s report was to shine a spotlight on the cross-border sharing of personal information and to raise awareness – some might say paranoia – about Canadian personal information being stored in the United States. The attention to the issue spawned significant changes to the BC public sector privacy law and put government outsourcing under the microscope. Many outsourcing customers, government included, are now including language to prohibit the transfer of personal information outside of Canada, and in some cases outside the home province of the customer.

Legal changes in California’s privacy laws are spilling over to other states and are having an impact upon Canadian technology companies. California’s trail-blazing consumer privacy law, which has been followed in a number of US states, requires that organizations notify affected individuals whose personal information may have been compromised or accidentally disclosed. The California law is intended to operate extra-territorially. These laws not only place the company in the uncomfortable position of having to notify customers, but also provide penalties for failing to do so. The California law in particular has prompted the recent deluge of public disclosures of privacy and security breaches in the United States and has also increased consumer expectations on both sides of the border. Similar provisions have found their way into Ontario’s relatively new Personal Health Information Protection Act and the concept of mandatory notification will undoubtedly be considered as part of the five year review of the Personal Information Protection and Electronic Documents Act.

In an era in which privacy and security are perceived to be clashing on a regular basis and in which identity theft is characterized as one of the fastest-growing crimes, it should not be surprising that technology lawyers have to grapple with privacy on a more regular basis as both a customer-relations issue and as a significant regulatory concern. At least a baseline knowledge of the legal regimes on both sides of the border are necessary to get a sense of the big picture for advising clients.


This article originally appeared in the Oct 7, 2005, issue of The Lawyers Weekly
at 12:39 PM
Labels: , , , , , , , ,

0 comments:

Post a Comment

  • Health Care Reform Explained from B... Dan Roam at the Back of the Napkin Blog sums up the current health care reform effort in this four part health care series, Healthcare Napkins All. Great back of the...
  • Why We Need A Health Care Revolutio... Dr. Val Jones' road to revolution provides her personal perspective on the current state of our health care system and why we all need to work for change.Don't miss the...
  • The important lesson from sandcastl... As I return to West Virginia after a week spent at the beach -- this post by Jim Carrol, Futurist, Trends & Innovation Expert, caught my attention. Much of my week on...
  • A little Nick: I'm a liberal an... Law blogger posts online: Don't miss reading this post by my favorite hospital blogging CEO, Nick Jacobs over at Nick's Blog. Much of what Nick has to say strikes a chord with me and this post is...
  • Executive Order Impacts Health Care... Law blogger posts online: President Bush signed an Executive Order on August 22 requiring federal agencies to do more to inform public health care consumers about the cost and quality of health...
  • eHealthWV: West Virginia EHR Public... Law blogger posts online: As a part of West Virginia's participation in the Health Information Security and Privacy Collaborative (HISPC), West Virginia Medical Institute and its partners launch...
  • Physicians vs. Patient: Rating-Perm... Interesting post from the WSJ Health Blog on Medical Justice's new ratings-permission contracts (press release on service).This new service offered by Medical Justice...
  • Just when you thought it was safe: ... Law blogger posts online: I’ve blogged previously about just how much I hate browser toolbars and nothing much has changed in the four years that have passed. Call me nosey, but when I’m...
  • Governor Manchin Approves Cardiac C...The West Virginia Health Care Authority website indicates today that Governor Manchin approved the final revised certificate of need Cardiac Catheterization Standards.
  • A Law Actually Interview with… Litt... Next up in the interview chair is Gemma from Little Tiny Pieces. Little Tiny Pieces is an interesting name?  What it inspired it; does it have any hidden meanings?...
  • Let the voting commence!... Law blogger posts online: Yes, after two long weeks of nominations, the shortlist for the 2010 Blawggies has been decided and voting for the awards can officially begin! The polls will remain...
  • Is blogging good for your health?... Law blogger posts online: Is blogging good for your health?This Boston Globe article, Cancer blogs become part of treatment, indicates that blogging about your condition has a positive impact.The...
  • ADVANCE Magazine - Article on EHRs ... Recently I was interviewed for an article looking at the legal issues involved in the developing world of EHRs and PHRs written by Beth Walsh for ADVANCE Magazine. The...