 Privacy-law
experts expect provincial and federal governments to be pressured for more laws
to protect confidential information that is now ending up in the hands of
foreign-based private businesses because of government outsourcing.
 But,
while Canadians fear the U.S.
government may be able to gain access to this material under anti-terrorism
laws, they also realize that Canadian businesses are net beneficiaries of the
trend toward outsourcing,
At
the federal level, the controversy over government information outsourcing came
to a head last year, when New Democrat MPs revealed the government had awarded
a contract for the 2006 census to a Canadian subsidiary of Lockheed Martin.
At
the provincial level, in 2004, the British
Columbia government was pressured by its
public-sector unions to stop its plan to outsource the management services of
its health insurance and pharma-care systems. Rather than back down on the
proposal, the government passed stringent rules regarding the protection of the
data.
Outsourcing
of data management is a huge business. The government of the United Kingdom outsources $140 billion worth of
services, an amount nearly equivalent to Canada's entire federal spending.
Canadian and U.S.
governments are catching up, and, because of Canada's
English-speaking workforce and relatively low labour costs, it is a preferred
location for U.S.
firms.
(U.S.
politicians, however, have tried to block foreign outsourcing of data
management. The U.S. Senate passed a bill to prevent the practice, but it was
not enacted.)
And,
while Canadian unions claim outsourcing of government services will cost as
many as 75,000 jobs, proponents of outsourcing say Canada could see a net gain of
165,000 jobs.
Theodore
C. Ling of Baker and McKenzie LLP in Toronto
said firms are watching to see whether the policy of the British Columbia government becomes the norm
across the country.
"The
situation in B.C. has been of high interest to any company that might be
engaged in outsourcing because it's the first time we've seen a government
change a law to restrict that type of outsourcing activity," Ling said.
"It
has evolved from a specific situation where Canadian public sector workers were
going to lose jobs. But (the B.C. policy) affects only the public sector. No
laws exist to restrict the flow of information in the private sector," he said.
The
B.C. statute is similar to laws in many European countries. It prevents
disclosure of information based on foreign court orders. Critics of foreign
outsourcing say the law does not go far enough, since there are now about 350
laws in the U.S.
that allow police and prosecutors to demand information without a court review.
The
penalties under the B.C. law are a $2,000 fine for individuals and $500,000
fines for corporations. However, U.S.
courts have ruled that criminal sanctions in a foreign country do not prevent U.S. courts
from compelling production of information.
Ling
said businesses are concerned that the federal government is going to use its
regulatory powers over sectors of the economy such as banking and
transportation to toughen privacy rules in Canada, and for Canadian
information held abroad.
"Service
providers are mobilized to say to government 'Hey, don't be too quick to expand
these laws. That will affect our ability to get this kind of work or outsource
this kind of work. This would be very bad for the Canadian economy,'" Ling
said.
"The
question before us is: Will the federal or provincial governments want to
restrain the flow of information?
"There
are people who will care about their privacy rights because the concern is so
much greater in the public sector. It was information about the public. In the
private sector, companies handle information about their business partners and
their employees.
"So
you may see the federal government try to change laws or put in place
guidelines about how the federal government outsources government activities.
You may see industrial guidelines. I don't think we will see new laws in Canada that restrict that flow of information
from Canada,"
he said.
But
Lydia Wakulowsky, chairwoman of the health law group at McMillan Binch
Mendelsohn LLP, said there's such a gap between privacy laws in Canada and the U.S. that many privacy advocates
are worried about the flow of information over the border.
"The
U.S.
federal government enacted the U.S.A. Patriot Act as an anti-terrorism measure
shortly after Sept. 11, 2001. The U.S.A Patriot Act makes it easier for the FBI
to gain access to records containing personal information in the U.S.," she
said.
In
fact, the law allows U.S.
authorities to compel the disclosure of information held in the U.S. by foreign and U.S. companies. The Patriot Act and
related statutes give U.S. police and grand juries wide subpoena power, and
allow investigators to slap gag orders on companies that have been ordered to
hand over data.
"This
is relevant to Canadians when Canadian companies outsource information
management functions to U.S.
firms. B.C. has responded by amending its Freedom of Information and Protection
of Privacy Act. The amendments prevent public-sector institutions from storing
personal information outside of Canada;
prohibit public bodies and their service providers and suppliers from
disclosing personal information outside of Canada and make it mandatory for
them to report any foreign demand for such information that is not authorized
by the B.C. Act.," she said.
Both
Ling and Wakulowsky expect the Ontario
government to be confronted with the issue.
"Ontario has not yet introduced similar provisions, but Ontario companies have
started to re-evaluate their own information-handling processes," said
Wakulowsky. "They are asking prospective vendors whether any information would
be processed in the U.S. and
they are taking steps to ensure information is processed only in Canada."
The
issue will be discussed at the federal level next year. Ottawa's federal Personal Information
Protection and Electronic Documents Act is due to be reviewed in 2006.
Wakulowsky said the review gives the federal government has an opportunity to
address the issues arising from the U.S. Patriot Act.
The
federal Personal Information and Electronic Documents Act (PIPEDA) took effect
in 2001. All businesses must now comply with the law.
|
