Indiana University School of Law--Bloomington
FOR IMMEDIATE RELEASE
Sept. 25, 2008
BLOOMINGTON, Ind. -- Information on Canadian citizens should be safe from the reaches of the USA PATRIOT Act, but the Canadian government's response to the Act may pose a greater threat to data privacy, a leading Indiana University School of Law--Bloomington cybersecurity expert testified today (Sept. 25) in Washington, D.C.
Fred H. Cate, Distinguished Professor and C. Ben Dutton Professor of Law, told the Trilateral Committee on Transborder Data Flows that the Canadian government is taking a pragmatic approach to protecting its citizens' data from being accessed by the U.S. government. But Cate, who also serves as the director of the IU Center for Applied Cybersecurity Research, said the approach of some Canadian provinces is causing unintended consequences.
When the USA PATRIOT Act was adopted in 2001, some Canadian provincial government officials expressed concerns that the Act could be used to obtain personal data about Canadian citizens without their knowledge or consent, and amended their provincial privacy laws to prohibit the export of certain personal data to the United States. Cate calls the scenario that led to the export prohibitions highly unlikely.
"The USA PATRIOT Act poses little risk to Canadians' personal information held by public bodies and stored in, or accessible from, the United States," Cate said. "The U.S. government would seem far more likely to access the data it needs for counterterrorism and law enforcement purposes through its direct surveillance programs, some operated in partnership with Canada, or by simply asking Canadian officials, who exercise powers similar to those of their U.S. counterparts, for the required data."
But unintended consequences have arisen from the provincial legislation. Cate testified that such restrictions may be stunting research and adding additional layers of bureaucracy to the everyday lives of Canadians.
Cate said Canada's reactions to the PATRIOT Act have had the following negative effects:
For example, three prominent universities had been unable to subscribe to plagiarism detection software and another program that allowed academics and students to store personal information, because they involved connecting through a server located outside of the country. One of those schools, Dalhousie University, spent more than $15,000 to re-locate a server that created "virtual classrooms."
Looking forward, Cate said the risks facing Canadian citizens from legislative measures "seem unjustified" in the unlikely event that the U.S. government would try to access their personal data. "Those risks are unnecessary as well," Cate said. "The geographic restrictions approach to protecting privacy ignores the concepts of reasonableness, balance, and respect for national sovereignty recognized in Canadian law."