CyberLex
CyberLex Insights on cybersecurity, privacy and data protection law

The New U.S. Executive Order: Effects on Canadian Privacy Laws and Cross Border Data Transfers

Posted in Privacy
Keith RoseEmily MacKinnon

President Donald J. Trump’s executive order issued January 25, 2017, contained one little paragraph with big words about Canadians’—and other non-U.S. citizens’—privacy:

Sec. 14.  Privacy Act.  Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

This paragraph has triggered alarm in some corners of the Internet. However, on closer inspection, it doesn’t appear to change much, at least legally speaking and from a Canadian private-sector perspective.

This section of President Trump’s order concerns only one statute: the Privacy Act. The order, like the Act itself, is directed only at executive departments and agencies. And it concerns only their policies.  Thus, the executive order does not appear to change any person’s substantive legal rights or obligations.

The context of section 14 suggests its intention. The executive order, as a whole, deals primarily with measures to promote “interior enforcement” of U.S. immigration laws—including against “removable aliens”.  Hence, section 14 is plausibly aimed at ensuring U.S. federal departments and agencies comply with requests for information about non-citizens.

That said, the executive order has no direct impact on the treatment of personal information by the private sector.  In particular, the order does not appear to change the circumstances in which US law enforcement or security agencies can compel private actors to disclose information about Canadians (or other non-U.S. citizens).

On the Canadian side of the border, the public and private sectors have long paid attention to the information they send to the U.S., pursuant to both policy and legislative requirements.

In the private sector, s. 13.1 of Alberta’s Personal Information Protection Act requires organizations to provide notice of certain transfers of personal information outside of Canada. The federal Personal Information Protection and Electronic Documents Act requires organizations to provide similar notice and to ensure that personal information in the hands of a third party—whether inside Canada or elsewhere—receives a “comparable level of protection” to that provided by the organization itself.

The effect of the executive order on Canadian regulators’ views of cross border information transfers in the private sector is uncertain at this point in time. Canadian regulators generally require Canadian organizations to disclose the consequences of information sharing across national borders and it is currently unclear what, if any, effect, the executive order have on those disclosures.

In the public sector, s. 30.1 of BC’s Freedom of Information and Protection of Privacy Act requires all personal information to be stored and accessed in Canada, subject to an extensive list of exceptions. Nova Scotia’s Personal Information International Disclosure Protection Act imposes similar requirements, again subject to certain exceptions. And s. 50(1) of Ontario’s Personal Health Information Protection Act, 2004 prohibits the disclosure of personal information outside of Ontario unless the affected individual consents or certain other conditions are met.  None of these restrictions is conditioned on the legal treatment of the information by U.S. agencies, and their application does not appear to be affected by the executive order.

On the international stage, the order may be of a similarly limited legal effect. The order does not appear to alter obligations under the Judicial Redress Act to extend portions of the Privacy Act to citizens of “covered countries”—a measure that was specifically implemented to satisfy European requirements for transfers of personal information. This order should have little impact, if any, on the legal foundations of the EU-U.S. Privacy Shield—which, in any event, does not apply to U.S. federal agencies.

It is apparent, however, that the U.S. executive is moving quickly to implement its policy agenda.  President Trump’s next steps are far from clear.

And while President Trump’s executive order may not have altered substantive legal protections for personal information, it has clearly attracted public attention to the issue. Moving forward, it appears likely that the public will pay increased attention to cross-border information-sharing with the U.S.—a development of which organizations should remain cognizant.