Tuesday, December 10, 2013

Massive loopholes in Canadian privacy laws permit sharing of personal information with foreign governments and law enforcement

Over the course of the past few weeks, Canadians have been surprised to learn about circumstances where the US immigration authorities appear to have obtained access to sensitive health information about Canadians proposing to travel to the US. (See: Access to Canadian health files by U.S. border agency sparks demands for inquiries | Toronto Star and Toronto woman with bipolar disorder refused entry into U.S. for being a ‘flight risk’ | Toronto Star).

Canadian privacy regulators are looking into these incidents, but it is worth considering the incredibly wide latitude that police in Canada have for sharing the sensitive personal information of Canadians with foreign law enforcement agencies.

The Privacy Act, for example, explicitly authorizes police to hand your information over to foreign cops in a range of circumstances:

Disclosure of personal information

8. (1) Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with this section.

personal information may be disclosed

(2) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed ...

(f) under an agreement or arrangement between the Government of Canada or an institution thereof and ... the government of a foreign state, an international organization of states or an international organization established by the governments of states, or any institution of any such government or organization, for the purpose of administering or enforcing any law or carrying out a lawful investigation;

Notice that it is not limited to written treaties, written agreements or even written arrangements. Also note that it is refers to "administering any law", which can include administering a foreign law, which does not have to be consistent with the Canadian Charter of Rights and Freedoms.

The provinces also have very similar laws with enormous "law enforcement" loopholes. As another example, here's Ontario's Freedom of Information and Protection of Privacy Act on the subject:

Where disclosure permitted

42. (1) An institution shall not disclose personal information in its custody or under its control except, ...

(f) where disclosure is by a law enforcement institution,

(i) to a law enforcement agency in a foreign country under an arrangement, a written agreement or treaty or legislative authority, or

(ii) to another law enforcement agency in Canada;

(g) where disclosure is to an institution or a law enforcement agency in Canada to aid an investigation undertaken with a view to a law enforcement proceeding or from which a law enforcement proceeding is likely to result;

The Privacy Commissioner of Canada pointed out this problem a decade ago, but it fell on deaf ears. This is from her later recommendations in 2008:

However, the Privacy Act does not reflect this increase in international information sharing. The Privacy Act places only two restrictions on disclosures to foreign governments: an agreement or arrangement must exist; and the personal information must be used for administering or enforcing a law or conducting an investigation. The Privacy Act does not even require that the agreement or arrangement be in writing. The Privacy Act does not impose any duty on the disclosing institution to identify the precise purpose for which the data will be disclosed and limit its subsequent use by the foreign government to that purpose, limit the amount of personal information disclosed and restrict further disclosure to third parties. Moreover, the Privacy Act even fails to impose any basic obligations on the Canadian government institution itself to adequately safeguard personal information. ARCHIVED - Proposed Immediate Changes to the Privacy Act (April 29, 2008) Privacy Commissioner of Canada.

Yup, it's essentially carte blanche for government institutions to disclose your information without a warrant for law enforcement purposes and for them to share it with foreign governments. It may be lawful, but it's not right.

No comments: