The outsourcing issue contains a multitude of political and economic dimensions, some of which have privacy implications. Even the privacy side of outsourcing has multiple facets.
In 2004, Sen. Bill Nelson, D-FL, introduced privacy legislation to regulate outsourcing. In California, the governor vetoed a bill to prohibit healthcare businesses from transmitting personally identifiable information outside the United States without authorization.
The most interesting outsourcing dispute occurred in Canada, where a fracas arose over the prospect that health data on Canadians might end up in the United States. It began when the British Columbia government decided to outsource the processing of medical claims previously processed by government employees.
The union representing those employees objected to the loss of jobs, but it cleverly found other reasons to object. One principal argument was that the data might fall into the hands of the U.S. government because the proposed data processing contractor was an American multinational company.
The USA Patriot Act became a focus of the B.C. outsourcing debate. That law, enacted shortly after the 9/11 terrorist attacks, increased the federal government’s ability to obtain records from businesses, libraries and others without significant judicial oversight. Section 215 requires a judge to sign any qualifying disclosure order without weighing the value of the information sought or the privacy of the data subject.
U.S. civil libertarians think the law is an unconstitutional domestic expansion of authority under the Foreign Intelligence Surveillance Act. Others see it as providing necessary tools in the war against terrorism. The Supreme Court eventually may have to rule on the act’s constitutionality, and the law’s actual merits are not the focus here.
What’s noteworthy is that the lack of broad U.S. privacy laws, together with expansive government authority to obtain personal information, became an issue in another country. Previous international controversies over the transborder flow of personal information resulted mostly from actions in Europe. The EU Data Protection Directive restricted the transfer of personal information to countries with inadequate privacy laws, including the United States. However, after five or so years of consternation over the issue, few actual problems have been reported. For Europe, at least, the transborder data flow issue has largely gone to sleep.
In Canada, however, the data export issue came to life dramatically. Opponents of the proposed outsourcing had a genuine bogeyman in U.S. Attorney General John Ashcroft. The rallying cry was that the contract would put the personal medical records of Canadians in the hands of Ashcroft and the FBI. That possibility seemed to resonate across Canada, despite the likelihood that few, if any, Canadian health records would be of interest to U.S. law enforcement authorities.
In spring 2004, British Columbia’s information & privacy commissioner responded to the growing controversy by seeking public comment on the scope of the USA Patriot Act and the implications for Canadian privacy protections. He received more than 500 submissions, some from the U.S. and Europe. The large number of responses seems a reasonable proxy for the degree of interest.
For those interested in the details of the analysis, surf to the B.C. commissioner’s report at www.oipcbc.org/sector_public/usa_patriot_act/pdfs/report/privacy-final.pdf. If you want a shorter analysis, look for Canadian law professor Michael Geist’s submission “The Long Arm of the USA Patriot Act: A Threat to Canadian Privacy?” It’s at www.mgblog.com/resc/Geisthomsi
patriotact.pdf.
It’s a complex subject, but some broad conclusions are easy. First, the USA Patriot Act isn’t the onl law that might force a U.S. company doing business with the Canadian government to turn over records on Canadian citizens. Records also might be within the reach of grand jury subpoenas, National Security Letters and other procedures that could require the production of records.
Though Canada has its own privacy law – the Personal Information and Electronic Documents Act – it’s unclear whether disclosure of a record in response to a U.S. demand would always violate Canadian law since the act authorizes various legitimate disclosures, including some for law enforcement.
The legal questions are a morass because they are novel and fall at the intersection of three complex areas: privacy; the authority of law enforcement agencies; and international relations between governments. To understand all of the implications, it would help to be an expert in all of these areas.
I won’t address the legal complexities in this space, but because there is more to say, I will continue this discussion in my next column. However, I won’t leave you in suspense. After all the studies, British Columbia proceeded with its planned outsourcing. It awarded a 10-year, $324 million (Canadian) contract to the same U.S. company (Maximus Inc.) as originally planned. The terms of that contract and the implications for U.S. companies doing business in Canada will be covered next time.
