Canadian Outsourcing Issue, Part IILast month's column described a Canadian controversy over outsourcing of data processing to a U.S. company. It has interesting implications for any American data companies doing business in Canada. Pay attention if your company markets in Canada or to Canadians or does business in other countries. What happened in Canada could happen elsewhere.
Here is a recap. When the British Columbia government wanted to outsource processing of health claims to an American company, opponents argued that personal data about Canadians would become available to U.S. law enforcement under the USA Patriot Act. Though the contract was awarded, the British Columbia government imposed conditions on the American company. It even amended its own privacy law to impose general restrictions on outsourcing of government data activities.
The conditions in the contract are not trivial. Required technical protections include familiar security requirements and limits on e-mail and data copying. The contract prevents data storage and remote access in the United States. The American parent company cannot access the data.
A second set of conditions includes records management and data retention policies, non-disclosure agreements for all employees and subcontractors and whistleblower protections. Nothing wildly new here, but the express inclusion of these detailed requirements will cause some expense to the contractor.
The corporate protections are the real eye-openers. The province of British Columbia has a power of attorney and a contractual right to take over the operations of the Canadian subsidiary of the U.S. company in the event of a potential disclosure of personal information. That's right, the company agreed to a possible government takeover of its operations.
The Canadian subsidiary must also have an all-Canadian resident board of directors. A dedicated privacy and security officer will monitor compliance with the contract. Liquidated damages are payable to the British Columbia government in the event of disclosure or a privacy breach in response to a requirement of a foreign country. Someone must have really wanted the business to agree to these terms.
It remains to be seen if this contract will be a model for others between Canadian and American data processors. The implications could be significant for U.S. companies, including marketers that do business in both countries using a shared database. Under the British Columbia precedent, a shared database would be impossible. A U.S. marketing company might need a wholly separate Canadian subsidiary with its own facilities, staff and board of directors.
It is way too early, however, to conclude that any of these steps might be necessary. Remember that the contract in question covers processing of government data. A politically accountable government might agree to higher standards than it would impose on private parties. That goes double with a highly visible controversy over outsourcing and privacy. Also, the contract is for 10 years and more than $300 million. Any extra costs will be amortized over many years.
Nevertheless, there are reasons for broader concern. The controversy showed that the Canadian federal privacy law - the Personal Information and Electronic Documents Act - says nothing explicitly about the consequences of the transfer of personal information to other countries. By contrast, the European Union Data Protection Directive has complex provisions regulating the flow of personal data to third countries.
The Canadians did not omit international data restrictions from their legislation casually. They wrote their law while the Americans and Europeans were fighting over how U.S. multinational companies could continue to traffic in personal data and still comply with EU data protection requirements. The outcome of that controversy was unclear at the time, and Canada was not looking for trouble from the 800-pound gorilla to its south. So it said nothing instead, a good Canadian outcome that worked for a time.
That time may be over. The debate over the British Columbia contract has forced the federal privacy commissioner, some provincial privacy commissioners and the government to face the problem. Any Canadian business with a subsidiary or office in the United States can be subject to disclosure orders from U.S. law enforcement or to other disclosure demands from U.S. interests.
Even if a Canadian business controls its own data and processes it exclusively in Canada, the existence of a U.S. subsidiary or parent may make it vulnerable to disclosure in the U.S. unless a protected moat exists around the Canadian operation. So far, the debate covered only government outsourcing of personal data, but the other shoe may drop soon.
In a separate and unpublished decision, the Federal Privacy Commissioner took the position that Canada's privacy legislation stops at the border and that her office does not have the power to investigate companies that do not have a physical presence in Canada. The consequence is that Canadians may be helpless against foreign companies that collect data in Canada and use it in other locations. For example, there might be no remedy against American companies that violate a do-not-call rule for Canadian telephone numbers.
The fight over outsourcing of data processing and the consequences of the USA Patriot Act may cause a broader review of the international consequences - or lack thereof - of the Canadian privacy law. It is impossible to predict what might happen or when. However, there may be consequences soon for any American marketing or data processing company that does business in Canada or with Canadians.