USA PATRIOT Act poses no serious threat to Canadian data, professor says

Published: Thursday, September 25, 2008

FOR IMMEDIATE RELEASE
Sept. 25, 2008

BLOOMINGTON, Ind. -- Information on Canadian citizens should be safe from the reaches of the USA PATRIOT Act, but the Canadian government's response to the Act may pose a greater threat to data privacy, a leading Indiana University School of Law--Bloomington cybersecurity expert testified today (Sept. 25) in Washington, D.C.

Fred H. Cate, Distinguished Professor and C. Ben Dutton Professor of Law, told the Trilateral Committee on Transborder Data Flows that the Canadian government is taking a pragmatic approach to protecting its citizens' data from being accessed by the U.S. government. But Cate, who also serves as the director of the IU Center for Applied Cybersecurity Research, said the approach of some Canadian provinces is causing unintended consequences.

When the USA PATRIOT Act was adopted in 2001, some Canadian provincial government officials expressed concerns that the Act could be used to obtain personal data about Canadian citizens without their knowledge or consent, and amended their provincial privacy laws to prohibit the export of certain personal data to the United States. Cate calls the scenario that led to the export prohibitions highly unlikely.

"The USA PATRIOT Act poses little risk to Canadians' personal information held by public bodies and stored in, or accessible from, the United States," Cate said. "The U.S. government would seem far more likely to access the data it needs for counterterrorism and law enforcement purposes through its direct surveillance programs, some operated in partnership with Canada, or by simply asking Canadian officials, who exercise powers similar to those of their U.S. counterparts, for the required data."

But unintended consequences have arisen from the provincial legislation. Cate testified that such restrictions may be stunting research and adding additional layers of bureaucracy to the everyday lives of Canadians.

Cate said Canada's reactions to the PATRIOT Act have had the following negative effects:

• Reduced service as Canadians are denied access to remote computer support, 24-hour customer service through call centers around the globe, and hundreds of other services that depend on access to a multinational array of people and data.
• Increased bureaucracy and less efficient operation as non-Canadian bidders on provincial contracts must restructure their operations to keep Canadian data in Canada.
• Generated higher costs for providing services to provincial governments and Canadian citizens without allowing access to globally centralized facilities, data, and personnel.
• Increased potential harm to the public by denying Canadians access to non-Canadian fraud detection and identity verification tools, and cross-border data-matching servers that enhance the accuracy of records, help identify and locate criminals, enhance security, and limit the spread of infectious diseases.
• Created a competitive disadvantage, because Canadian businesses can rely on their existing servers, data centers, personnel, affiliates and other resources to serve customers around the world, while non-Canadian businesses must create provincial affiliates with provincial data centers and other provincial resources to service customers in Canada.

For example, three prominent universities had been unable to subscribe to plagiarism detection software and another program that allowed academics and students to store personal information, because they involved connecting through a server located outside of the country. One of those schools, Dalhousie University, spent more than $15,000 to re-locate a server that created "virtual classrooms."

Looking forward, Cate said the risks facing Canadian citizens from legislative measures "seem unjustified" in the unlikely event that the U.S. government would try to access their personal data. "Those risks are unnecessary as well," Cate said. "The geographic restrictions approach to protecting privacy ignores the concepts of reasonableness, balance, and respect for national sovereignty recognized in Canadian law."