By Andrew Stobo Sniderman, JD 2014 / Photography by Jeff Kirk

From the Fall/Winter 2015 issue of Nexus

Prof. Lisa AustinProfessor Lisa Austin, LLB 1998, cares about privacy, and perhaps the best way to explain her latest preoccupation is by thinking about how a love letter e-mailed from Toronto to Vancouver falls into what she calls a “constitutional black hole.”

Let’s say the Canadian government wanted to view the contents of this letter, suspecting that Romeo, for all his charms, might be a terrorist. The police would need to approach a judge to get a warrant and justify a limited-time need to read such communications en route to Juliet.

But what if the American government wanted to view the same message? It turns out it is far easier for Americans to spy on Canadians, primarily because the e-mail, if it was written from a Gmail or Hotmail account, actually passes through a data storage centre in the United States on its route from a keyboard in Toronto to a swelling heart in Vancouver.

The Canadian “cloud” is, in fact, mostly located in the United States, and our data that is stored in the United States can be surveilled according to different—and lower—standards.

When Canadian personal data is in the United States, it does not get protection from the Charter of Rights and Freedoms. It also does not get protection from the American Constitution, which does not apply to non-US residents. Hence the black hole.

The National Security Agency (NSA), whose ubiquitous eavesdropping was made infamous by Edward Snowden’s leaks, could access the love letter without a search warrant, which would be unconstitutional in Canada. And since the United States and Canada share intelligence so comprehensively, the worry is Canada could get the love letter directly from the NSA, which would defeat the purpose of all the legal protections Canadians are supposed to enjoy.

Snowden’s revelations and the ensuing backlash led to some reforms of American surveillance, but it seems they only offer weak protections for non-American residents.

So the question becomes: how should Canada protect the data of Canadians?

The issue for Austin is not rogue spy agencies or criminals illegally stealing private information—which, no doubt, happens—but rather standards for lawful access. “This is not about absolutely preventing access by the state, but about the constitutional framework regulating access,” she says.

Prohibitions against access or unfettered access are not real options, because it is clear that in some circumstances the Canadian government must violate privacy. “The issue is regulating that access and making sure that it is regulated in a way that is protective of people’s interests,” Austin says.

The Canadian Charter does not explicitly mention privacy, but section 8 has been interpreted to protect everyone’s “reasonable expectation of privacy.” Without our own thoughts, we cannot be or become ourselves. Private spaces allow us to grow and differentiate as distinct individuals, and develop, as Austin has written, an “authentic inner life and intimate relationships.” That exhibitionism on social media is so ubiquitous should not be taken as indication that privacy has lost its value.

Austin has always been interested in “what’s public and what’s private, the pressure that technology places on those divisions, and the law’s response to that,” she says.At its best, the law is destined to play a “good catch up game.”

The Canadian “cloud” is, in fact, mostly located in the United States, and our data that is stored in the United States can be surveilled according to different—and lower—standards.

She has played a major role in this process. A few years ago, when Austin sat on a committee to study the question of whether the University of Toronto should outsource its faculty and staff e-mail system to free alternatives provided by companies like Google and Microsoft, she began to think about the implications of decisions about where to locate our data.  With co-authors, and with research assistance from then-2L Daniel Carens-Nedelsky, she expressed her concerns about privacy and outsourcing in “Seeing through the Cloud….”. (A decision by the university about faculty and staff e-mail is still pending). She also helped the Canadian Judicial Council develop a model policy for access to court records in an age of electronic access.

Last year Austin’s scholarship on privacy was cited in (a mere) three decisions of the Supreme Court of Canada: R v Spencer, Wakeling v United States of America,and R v Fearon.

In Spencer Austin’s work helped persuade the Supreme Court to accord greater protection to subscriber information by recognizing that there can be “a reasonable expectation of privacy in the subscriber information.  The disclosure of this information will often amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous.”

In Wakeling, Austin was cited in support of the proposition that individuals still retain a “substantial privacy interest” in information that is wiretapped, even though an individual may anticipate that law enforcement agencies could seek to access this information. Privacy intrusions that are “expected” can still be “problematic,” Austin noted, which the Supreme Court echoed. 

What is to be done about it?

One option is requiring that sensitive data gets stored on Canadian soil, what some call “data localization.” It is no accident that Microsoft is opening two new data centres in Canada, with one in Toronto. Other companies will probably follow suit to respond to rising concern about the security of data.

In 2004, British Columbia became the first Canadian jurisdiction to enact data localization provisions. The legislation was triggered by concern about government outsourcing the billing for medical services, and residual concern about the reach of the American Patriot Act, legislation that passed in the wake of 9/11 and dramatically expanded surveillance powers.

Data localization has proved more difficult to enforce than expected. British Columbia’s legislation has been tweaked over the years, and is now again under review. Alexis Kerr, JD 2001, a former student of Austin’s, works with the Fraser Health Authority in British Columbia, which is funded by and accountable to the provincial Ministry of Health, and is a former student of Austin’s. She has seen how British Columbia’s data localization requirements quickly ran into difficulty.

For example, some medical service support simply required the involvement of American companies because no Canadian alternative existed. Originally, legislation did not allow business with those companies at all. British Columbia’s legislation required that such a company disclose if a foreign government (like the American government) had demanded disclosure of data. But in 2006 legislation was altered to fix this problem.

The trouble is that the Patriot Act prevents the recipient of a request from disclosing it. “Even if we put British Columbia’s disclosure requirement in a contract, we put a service provider in the United States between a rock and a hard place, because it is impossible to comply with both provisions,” Kerr says. “So if they have to choose between whether they will breach the Patriot Act or British Columbian privacy legislation, we can be pretty sure in most cases the choice will be to comply with the Patriot Act because the consequences are far greater for non-compliance.”

Kerr thinks measures need to be taken to protect privacy, but says it is an “open question whether data localization laws as currently constructed are effective at achieving that goal.” She cautions against taking false comfort in data localization laws, especially when individuals “don’t really realize how much information they are readily giving away themselves, including through personal devices like wearables,” she says. (“Wearables” are increasingly popular devices that people wear on their body to record information like heart rate, location and movement).

The current debate is unsettled and heading in two different directions. On the one hand, Canada recently signed on to the Trans-Pacific Partnership, a major new international trade agreement, which will likely make it harder for Canada to insist on local storage of information. For example, Article 14 provides that every signatory country “shall allow the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person.” There is a public policy exception, but it remains to be seen whether it is interpreted to mean a lot or very little.

In a major policy development pulling in the opposite direction, a recent decision by the European Court of Justice, in a case called Maximillan Schrems v Data Protection Commissioner, has made it more difficult for European companies to send personal data to the United States. The case was about an Austrian doctoral student who argued that the protection of his personal information on Facebook, which was stored in the United States, was inadequate.

The longstanding European position had been that personal data cannot be sent to third party countries without a guarantee of adequate protection. For years, American companies that pledged to respect certain principles, the so-called “Safe Harbor Privacy Principles,” could receive European data. Compliance with these principles was based on self-monitoring and self-assessment. The Schrems case struck down this voluntary arrangement, and requires that more be done. Negotiators are now scrambling to come up with an alternative.

Long term, Austin thinks Canada will have to enter into treaties with other countries to ensure that “when a Canadian person’s data is in your jurisdiction, it is protected as if it were in Canada,” she says. “Canadian law should follow where your data goes.”