President Donald Trump’s Executive Order on domestic safety, released January 25th, has enormous implications for the privacy of everyone living outside the United States. For Canadians, the order should raise significant concerns about government data shared with U.S. authorities as well as the collection of Canadian personal information by U.S. agencies. Given the close integration between U.S. and Canadian agencies – as well as the fact that Canadian Internet traffic frequently traverses into the U.S. – there are serious implications for Canadian privacy. Moreover, the order will raise major concerns in the European Union, creating the possibility of restrictions on data transfers as it seemingly kills the Privacy Shield compromise.
Section 14 of the Executive Order states:
Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
The protection of Canadian information which ends up in U.S. hands has long been a source of concern. Professor Lisa Austin has written about “constitutional black holes” in which Canadian data is not protected by the Canadian Charter of Rights and Freedoms and the protection afforded to the data in the United States is at a lower standard than for its citizens and permanent residents.
The Privacy Act referenced in the order did not extend privacy rights to non-U.S. citizens and permanent residents when it first enacted in 1974. However, in 2007, the Department of Homeland Security issued a policy that extended some provisions to non-U.S. persons. In the aftermath of the Snowden revelations, there has been much written on the need to extend privacy protections to foreigners.
The Trump Executive Order makes it clear that U.S. agencies should ensure that their policies do not extend privacy rights to non-U.S. citizens or permanent residents under the Privacy Act. The intent and effect of the order means that the personal information of Canadians will not be protected under that statute. The decision requires an immediate review by the Privacy Commissioner of Canada on the effect of Canadian personal information and data sharing agreements and a potential re-assessment of what personal information is made available to U.S. agencies.
About Michael Geist: Dr. Michael Geist is a law professor at the University of Ottawa where he holds the Canada Research Chair in Internet and E-commerce Law. He has obtained a Bachelor of Laws (LL.B.) degree from Osgoode Hall Law School in Toronto, Master of Laws (LL.M.) degrees from Cambridge University in the UK and Columbia Law School in New York, and a Doctorate in Law (J.S.D.) from Columbia Law School. Dr. Geist is a syndicated columnist on technology law issues with his regular column appearing in the Toronto Star, the Hill Times, and the Tyee.