Transborder Dataflow Comes Home to Roost
By: Stephanie Perrin
February 22, 2005
Transborder Dataflow Comes Home to Roost
Some Policy thoughts on Commissioner David Loukidelis’ Inquiry on the subject of the Export of Personal Data to the United States and the Implications of the Patriot Act
In the summer of 2004, the Information and Privacy Commissioner of British Columbia David Loukidelis posted a call for comments on the implications of the U.S. Patriot Act on the personal data of Canadians (http://www.oipc.bc.ca/sector_public/usa_patriot_act/patriot_act_resources.htm). Prompted by a complaint from the B.C. Government Employees Union about the outsourcing of the processing of health information of citizens to an American company, the focus was on whether the data in fact would be accessible to US authorities under the Patriot Act, basically out of Canadian control. I commend him for starting a debate that in my view is the richest we have had in two decades on the subject of trans-border dataflow. The Commissioner received over 500 responses, from all kinds of individuals, academics experts, and organizations. Some of the submissions demand response, and as a policy person with a long interest in the field, it was tempting to comment. I did not, but I think it is a very fruitful topic for this project and this space to consider.
As many are well aware, during the 1970s, this country and many others debated the issue of trans-border dataflow in the context of pressures to open up trade in services, particularly data processing, and drop requirements to keep data within domestic borders. It was in this context that data protection achieved importance, and the OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data of 1980 bear the imprints of that pre-occupation, as they were drafted as much to ensure the free flow of data as to protect privacy. Countries were enjoined in the preamble of that document to continue the work of harmonizing their approaches to data protection, and working together on international issues.
Unfortunately the Committee that drafted the guidelines was wound down shortly after the Council of Ministers approved them, and the OECD did not continue the much needed work on international cooperation. While the Guidelines were re-affirmed as a set of fair information practices in 1998 in the context of the OECD Electronic Commerce Conference held in Ottawa, there has not been a renewed, focused international discussion about how to manage the international and jurisdictional problems. The United States had a bilateral discussion with the European Union when they came to the Safe Harbor Arrangement after the Data Protection Directive 95/46 came into effect, but this happened largely behind closed doors and was focused on the Directive, and on how to avoid blockages in data flow. It did not include financial data, and did not focus on law enforcement and national security data. There has been almost no public discussion of the slumbering issue of Article 4(1)(c) of the Directive, which states that telecommunications equipment and software resident in the country, which is used to manage data and ship it outside the community, provides the presence necessary to cause the application of national law. This was certainly a controversial provision at the time, but the development of the global Information Infrastructure has certainly born out the foresight of its drafters; is there another logical way of approaching the problem of remote collection and use? If so, I have not seen it.
While a global discussion on data protection has raged over the past ten years, it has been focused primarily on the mechanics of the world wide web (cookies, privacy policies, P3P) and on opt/out opt/in for marketing. In the context of the huge debate between the US and Europe on whether or not you can achieve adequate data protection without legislating holistically as Europe has done, the attention of privacy watchers and legislators has been drawn to the rather basic questions that we had asked in 1980 when the OECD Guidelines were drafted, and not to the rather more complex issues of what we were proposing to do about the rapid development of global, dynamic dataflows and ubiquitous computing.
Canada has tried, during this period, to focus on the problem. During the Parliamentary Review of the Access to Information Act and the Privacy Act, the recommendation was made in the final Report of the Standing Committee on Justice and the Solicitor General (Open and Shut, 1987) to study transborder data flows. The Department of Justice did so, publishing the report Crossing the Borders in 1989, but there was still a dearth of information about financial dataflows, and no further policy work was published subsequent to the report. Aware of this issue, we developed a national standard for privacy, the Canadian Standards Association’s Model Code for the Protection of Personal Information CAN/CSA-Q830-96, envisaging also the potential development of an international standard which would provide not only a management standard for data protection practices, but a ready intersection with technology standards that contemplated privacy requirements. We also anticipated that such international standards could be useful in harmonizing the different legal regimes for the purposes of trans-border dataflow, and in providing an independent audit mechanism (through accredited ISO auditors) to permit checking on standards in remote and developing jurisdictions.
When the private sector privacy legislation was drafted (the Personal Information Protection and Electronic Documents Act or PIPEDA), the standard was attached to the law as the set of fair information practices required. When data is transferred for ‘processing’, it must be protected to the same level. However thin these protections may seem, I would argue that there is very little that can be done to improve them in the context of keeping data in the hands of the data controller and not that of foreign governments. Here are a few brief reasons why:
• Most foreign data protection laws and constitutional protections do not provide protection for ‘aliens’, or persons who are not citizens or residents of the country. Certainly US law does not.
• Data protection laws routinely have exemptions to permit release of personal information without the consent of the individual for purposes of national security, law enforcement, and a host of routine government functions.
• New anti-terrorism laws have given law enforcement and intelligence agents new powers domestically and new information sharing capabilities in their international organizations.
It can hardly be healthy for democracy to have a closed, hidden network of surveillance information about its citizens, shared around the world by police and intelligence agencies who are not accountable to their own citizens with respect to the collection, use, and disclosure of information, and the accuracy of the information. For many years while I worked in government, I pointed out the risks of the development of these networks, and frankly was frequently dismissed as a paranoid fanatic. So who’s crazy now?
This week, the papers in Canada are full of the story of Moroccan-born Adil Charkaoui, released on bail after 21 months in prison on a national security certificate. No charges were laid, the notes of the CSIS agent who provided the rationale for the arrest were destroyed as is routine, so no evidence was available to the defence. Can we actually run a democracy like this? Surely terrorism and insurrection are difficult problems, just as they were in the days of Magna Carta when we tried to improve our rule of law. But we must find solutions, because we are now living in a time of ubiquitous surveillance where there are practically no limits to how much data can be gathered about us. If that information is not verified by independent authorities, courts and juries, we have concentrated far too much power in the hands of an elite group.
At the same time as this story was breaking, the scandal of the criminal abuse of the vast databases held by Choicepoint broke (see www.epic.org and http://www.washingtonpost.com/wp-dyn/articles/A40379-2005Feb20.html). Choicepoint is one of the success stories of the post-911 environment, a data broker that was formed in 1997 and has bought 50 companies to assemble files on individuals all over the world. They have contracts with virtually every US government agency and are the company that is providing security checks for job seekers of all kinds in the post-911 environment. However, this open market for personal information has allowed criminal gangs posing as legitimate companies to purchase files on 145,000 US individuals, then proceeding to change the victims’ addresses and perpetrate identity theft and fraud on a grand scale. Since EPIC broke its first stories on Choicepoint in 2002, I have asked audiences wherever I speak who has heard of them. So far, there has been scarcely a handful among these well educated security and privacy experts, government policy people and sociologists, consumer advocates and lawyers, who were familiar with the company name. How can we run a democracy where huge private sector companies, un-regulated and unbounded by Charter and Constitutional protections that curb law enforcement authorities, control the information of an entire society and indeed of the citizens of many countries around the world, without the knowledge of the citizen?
This brings me back to the issue of transborder dataflow. There are many reasons why this topic has not been much discussed in the pure state (as opposed to, say, as an aspect of Safe Harbor) over the past few years. Here are a few:
• Western democracies have been keen on opening up trade barriers
• Cybercrime issues have been on the rise, and law enforcement authorities have been attempting to streamline their operations to fight them
• The European Directive on Data Protection took a long time to pass and be implemented, with opposition both within the EU and without, so proponents of blocking dataflow were reluctant to flex any muscle in areas of questionable jurisdiction
• E-Commerce suffers from similar issues in terms of choice of law and lack of consumer protection, and the struggle between consumers who want to maximise their hard fought consumer protection by choosing the best jurisdictions for consumers are up against companies who face a potentially gargantuan task of having to apply all regional laws to their business as they serve e-consumers around the world
• There are no easy answers. Just like global warming, the environment, better parenting, poverty in developing countries, health effects of old pollutants, and many other pressing issues that need to be addressed, there are no easy answers.
And this last point is why we must thank David Loukidelis for opening up the debate again. We have a new generation of young privacy enthusiasts and scholars who have not thought about this issue, but have taken global data flows for granted. Here is the torch, you find the solutions, because those of us who have been worrying this bone since the 80s have not come up with much. Stephanie Perrin will be moderating a panel on this important topic at the Summit of the International Association of Privacy Professionals in Washington on March 10. Check back for her report of what panelists David Loukidelis, Becky Burr (Wilmer Cutler), Peggy Eisenhauer (Hunton and Williams), Jim Harper (Cato Institute) and Michael Geist (University of Ottawa) had to say about the issue. (www.privacyassociation.org)