This is the first in a series of posts that examine the principles governing the transfer of data across borders between the European Union and the United States, and the effect that the USA PATRIOT Act has on businesses, citizens and governments outside the United States. Although this is a U.S.-oriented site and I am a British citizen, the issues I surface here affect all readers, whether living and working inside or outside the United States.
The USA PATRIOT Act held prominence in American society shortly after the September 11 terrorist attacks, and played a crucial role in enhancing the search capabilities of law enforcement.
But as the scales of justice sway toward the law itself, an erosion of civil liberties became apparent -- even to the U.S.'s closest neighbour, Canada.
Post-9/11 and the Patriot Act
The U.S. counter-terrorism strategy has been strengthened in light of the home grown and foreign terror threat to the mainland. However, the terrorist attacks against the U.S. on September 11, 2001, sparked a change in U.S. policy on gathering intelligence to prevent further attacks.
The controversial USA PATRIOT Act, commonly known as the Patriot Act, revised and consolidated counter-terrorism laws post-9/11 to enhance domestic law enforcement investigatory authority, including sweeping surveillance and search powers; while some claim the elimination of judicial oversight to ensure these powers are not abused.
Most US citizens living in the U.S. are aware of the Patriot Act as the "counter-terrorism law". But the act consolidates, refreshes and bolsters existing laws to improve federal resources to enable those fighting the war on terror to intercept communications and acquire intelligence to prevent what is considered modern day terrorism.
The 2001 Act, for example, takes into account new technologies which enable acts of cyber-terrorism, prohibit the act of knowingly harbouring a terrorist; and provide law enforcement with the ability to delay the notification of a court-approved search warrant in order to prevent a suspect from destroying evidence or fleeing. In some cases, the Act simply refreshes certain areas to make it current with the times of today.
However, the Act has been criticised by academics as a "knee-jerk reaction" to the September 11th attacks, suggesting that it infringes the constitutional rights of ordinary citizens and foreign nationals by authorising surveillance without the necessary requirement of a court order.
As a U.S. law, the Patriot Act applies to everyone living and visiting the country, including any foreign national who spends time on U.S. soil as part of a visa arrangement. The Act also applies to companies based in the U.S., whether they are headquartered there -- such as Apple, Google or Microsoft -- or are a subsidiary of a larger non-US company.
For example, although the BBC has its headquarters in London, it also has studios and offices in the U.S., making these U.S.-based offices vulnerable to the Act.
Many users of popular web services or cloud services are unclear of the laws in effect or even the jurisdiction under which users and service providers fall.
Yet, many services, products and websites, including those made available by the cloud, are provided by U.S.-based organisations. Cloud services are often sourced from localised companies (like Google UK or Microsoft UK) for citizens in the United Kingdom, instead of dealing directly with the U.S.-based corporations.
Because the Patriot Act legislation covers U.S. companies, data that is housed or passes through the United States is vulnerable to interception by authorities.
Using this provision of the Patriot Act has been challenged in court. An FBI-issued National Security Letter (NSL) prevented Nicholas Merrill, then ISP and now founder of the Calyx Institute, from disclosing to anyone his court challenge.
A U.S. District Court Judge struck down the 'gagging order' -- the National Security Letter -- ruling that it was "unconstitutional" as it violated the right of free speech under the First Amendment and the right to be free from unreasonable searches under the Fourth Amendment.
"Prior to the passage of the Patriot Act, Canadians' personal information in the custody or control of US-linked organizations could be accessed by US authorities by other means, such as national security letters or grand jury subpoenas, or through governmental channels. The Patriot Act, it has been suggested, simply "broadened the scope and lowered the standard for the issuance of such orders."
As NSL's are used to gag organisations under the Patriot Act, the individual under suspicion or investigation may not be told as such. Canadian law says that when the individuals' data is moved, including across borders, the individual whose data is of interest must be informed. Therefore, the gagged organisation could be in breach of Canadian law if they uphold the gagging order under US law.
Following a 10-week investigation into the Patriot Act, David Loukidelis, then Information and Privacy Commissioner for British Columbia, put forward sixteen recommended changes to the law, including:
"Legislation should be passed to make it an offence for a public body or a contractor to disclose personal information or send it outside Canada in response to a foreign court order, subpoena or warrant, with violation being punished by a fine of up to $1 million or a term of imprisonment, or both;"
Yet some argue that Canadians are too quick to denounce the cloud because of the Patriot Act. David Fraser, a Halifax-based privacy lawyer, argues that the Canadian Anti-Terrorism Act 2001, which passed into law with Royal Assent shortly after the Patriot Act became law, performs similar functions for Canada's intelligence community.
"[a] strategic value in having 'pure bred Canadian cloud providers' that fall into Canadian jurisdiction, which would also provide an option that Canadian government and military can use."
Nevertheless, the issue many Canadians face with the Patriot Act lies in their recognising it as a foreign piece of law which allows a foreign government to access their personal data for the benefit of the United States and, potentially, its overseas allies. Their argument is, "what right do they have?".
"Under the [USA PATRIOT] Act, US officials could access information about citizens of other countries, including Canada, if that information is physically within the United States or accessible electronically. The potential exists, therefore, for law enforcement agencies to obtain information about Canadians whose information might be handled under a contract between the federal government and a US-based company."
Another point from the FAQ goes on to consider the private sector; notably the rise in outsourcing of Canadian operations and infrastructure to more protected and insulated firms and organisations:
"When a supplier is hired to administer personal information and any part of its operations, including subcontractors, are [sic] outside of Canada, then the laws of the other country (or countries) may be applicable to information stored or accessible electronically in the foreign country. If a company located in the United States or with U.S. connections is hired, then the USA PATRIOT Act may be applicable."
The United Kingdom has intelligence gathering policies similar to Canada's. Not only a close ally of the United States in intelligence-sharing and military capability, the UK is also a fellow Commonwealth country to Canada by sharing the same monarch. The UK not only has laws in place to collect intelligence to bolster foreign policy, foreign relations and to prevent domestic terrorism, but also data protection legislation which applies the EU-prescribed 'Data Protection Directive.'
But when a stronger entity like the United States uses its domestic policy to authorise the secret gathering of intelligence from another country, as seen with the Patriot Act vs Canadian privacy laws, the Canadian government has shown an obvious cause for concern.
Next up: An overview of the Safe Harbor principles, prescribed by the European Commission to protect European governments and citizens from breaches in privacy. Read more.