We are currently moving our web services and information to Canada.ca.

The Treasury Board of Canada Secretariat website will remain available until this move is complete.

Privacy Matters: The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows

Archived information

Archived information is provided for reference, research or recordkeeping purposes. It is not subject à to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

2. Background

Today's information economy

Information and knowledge have largely become primary wealth-creating assets throughout the developed world.

Enabled by new technologies, Canada is now an information-based society.

The Internet and sophisticated software make it possible for companies, governments, and individuals to share information easily and to conduct business on an anywhere, anytime basis.

Transborder data flows and contracting

The flow of computerized data, including personal and sensitive information, across any international border, is referred to as "transborder data flows."

Transborder data flows are increasing on a daily basis, in part because of the increased reliance on contracting out, a practice in which companies and governments hire an outside service provider to deliver a program or provide a service, such as managing a database. This can often result in improved efficiencies and levels of service.

Contracting out, or outsourcing, as it is often called, has become a global practice. While an organization may be located in Canada, some of its activities, including the storage and handling of personal information, may be managed by another organization elsewhere in the world.

While transborder data flows have led to greater efficiencies, access to new products and services, and economic benefits, the transfer of personal data across borders has also raised concerns that information could end up in the hands of people for whom it was not intended.

That, in turn, could infringe on privacy.

Privacy is a fundamental right in Canada

Privacy has long been considered a fundamental right in Canada.

The United Nations Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights enshrine privacy as a core human right or value that goes to the very heart of preserving human dignity and autonomy, as does the Canadian Charter of Rights and Freedoms.

For most Canadians, privacy is about control—the right to control one's personal information.

It was not surprising, then, to discover that transborder data flows are a concern for many Canadians, as reported in a recent survey.

Public opinion

A survey conducted earlier this year by EKOS Research Associates Inc. for the Office of the Privacy Commissioner of Canada (entitled Canadians, Privacy and Emerging Issue) found that most Canadians expressed concern about personal information transferred across borders.

The survey's results acknowledged that the cross-border transfer of personal information is a complex policy issue, involving important privacy, economic, national, security and other considerations. A copy can be reviewed on the Commissioner's Web site

Another recent study (August 2005), Privacy in the Information Age: Government Services and You, found that while Canadians worry about governments holding extensive files on citizens, they are willing to make trade-offs for better services as long as appropriate safeguards are in place. That study, which examined the issue of government departments sharing information to improve services, was conducted by a not-for-profit organization called the Crossing Boundaries National Council, which is made up of senior public service employees and elected representatives from other levels of government and the Aboriginal community.

In their report, the Crossing Boundaries National Council recommends that governments establish strong safeguards on access to personal information but have the safeguards flexible enough for branches of governments to share data in new ways without too many obstructions. The report can be found at the following Web site

B.C. and the USA PATRIOT Act

The issues surrounding transborder data flow of personal information came to the forefront in Canada as a result of a court case launched in 2004 in B.C.

The British Columbia Government and Service Employees' Union sought an order to stop the provincial government from hiring the Canadian affiliate of a U.S. company to administer the province's medical records.

The union claimed that the contract with the U.S.-based company would open up the possibility of having medical records of British Columbians scrutinized by U.S. law enforcement officials under the USA PATRIOT Act.

Ultimately, in March 2005, the Supreme Court of British Columbia rejected the union's challenge—the union has since launched an appeal.

In the summer and fall of 2004, the Office of the Information and Privacy Commissioner for B.C. examined the matter, asked for submissions to obtain opinions, and directed recommendations at both the B.C. and federal governments. The Commissioner concluded that this was an issue that went beyond the scope of the province's influence and affected all of Canada.

Supporting facts


  • "USA PATRIOT" in USA PATRIOT Act stands for "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism."
  • Enacted in 2001 by the U.S. Congress.
  • Amends the U.S. Foreign Intelligence Surveillance Act to allow the Federal Bureau of Investigation (FBI) to apply for a court order to obtain records, papers, documents, and other items for an investigation related to terrorism or clandestine intelligence activities.
  • Under section 215 of the USA PATRIOT Act, the FBI could potentially obtain records that are held by companies located in the U.S., or records for which U.S.-based companies have direct access, and requires the companies not to disclose these actions.

The review of the Information and Privacy Commissioner for B.C.

  • The Information and Privacy Commissioner for B.C. received 500 submissions from governments, businesses, labour groups, and others, mostly in Canada, but also from the U.S. and Europe.
  • There was a general consensus that U.S. authorities could, under some circumstances, use powers under the USA PATRIOT Act to access information about B.C. citizens if the information were accessible under U.S. jurisdiction. There was, however, a wide variety of opinion about whether the risk of this actually happening was small or significant.

A global issue

The submissions to the Information and Privacy Commissioner for B.C. raised larger questions about the safeguarding of privacy in an era of economic globalization, widespread fear of terrorism, and transborder data flows.

It was noted that privacy risks exist whenever a transborder data flow occurs since there are anti-terrorism laws and security measures in many other countries that contain powers similar to those of the USA PATRIOT Act.

As a result, the report of the Information and Privacy Commissioner for B.C. suggested that existing privacy protection would need to be reviewed by all jurisdictions across Canada and at an international level, in both the public and private sectors.

The Privacy Commissioner of Canada agreed.

Submission from the Privacy Commissioner of Canada

The Privacy Commissioner of Canada, Jennifer Stoddart, made a submission to the B.C. review that applauded the efforts of the Information and Privacy Commissioner for B.C. in examining the implications of the USA PATRIOT Act.

She agreed the B.C. situation was part of a broader issue—the extent to which Canada and other countries share personal information about their citizens with each other and the degree to which information transferred abroad for commercial purposes may be accessible to foreign governments.

The Privacy Commissioner of Canada outlined what can be done, including reminding private firms about their obligations under federal and provincial laws and indicating that her office planned to conduct a review of information-sharing agreements between the Governments of Canada and the U.S.

She asked the Government of Canada to review the circumstances related to transborder data flows in which personal information about Canadians may be accessible outside of Canada.

Supporting facts

The Privacy Commissioner of Canada concludes that the USA PATRIOT Act is not likely to be the first course of action

The Privacy Commissioner of Canada concluded that the USA PATRIOT Act is not likely to be the normal procedure to obtain personal information held in the U.S. about Canadians, a view shared by the Information Technology Association of Canada.

The Commissioner believes it is more likely that other means of obtaining information will continue to be used instead, such as grand jury subpoenas, ordinary search warrants, and existing information sharing agreements, or bilateral mutual legal assistance treaties that have been signed by the governments of Canada and the U.S.

Balancing privacy with other priorities

Both the B.C. and federal privacy commissioners and the Canadian public recognize that addressing issues around transborder data flows is more than just a consideration of privacy interests.

There are other interests at stake, such as significant cost and service efficiencies, and economic benefits from contracting out as well as the need to respect Canada's obligations under its trade agreements and the requirements to protect national security.

Contracting out

Contracting out, or outsourcing, is when an organization hires a company to carry out certain functions to improve efficiencies and levels of service. Companies often outsource to firms that may be located in other parts of the world to handle administrative and data processing tasks so they can concentrate on their core business.

Canada is a major user and provider of outsourcing arrangements and benefits from the practice. Many Canadian companies enter into outsourcing arrangements with U.S.-based businesses to receive and to provide services. Governments also engage in outsourcing to receive services.

Federal government contracting

The federal government has a large number of contractual arrangements in place to carry out functions more cost-effectively.

The vast majority of such contracts are to obtain goods and services for government use. They can range from regular contracts to obtain equipment, software, telecommunications, training courses, or services like temporary help, informatics, consultants, maintenance or repair, to the extremely complex contractual arrangements involving the transfer or delivery of a government program or service function to a contractor.

The federal government encourages innovative arrangements with suppliers to improve efficiency and service to the public. Outsourcing is viewed as a pivotal means of providing more flexible and responsive services to Canadians.

Privacy must, however, always be considered when determining if outsourcing is appropriate.

Supporting facts

Canada is a major beneficiary of outsourcing

The United Nations Conference on Trade and Development produced a report in 2004 called World Investment Report 2004—The Shift Towards Services, which states that the countries that have gained the most from overseas outsourcing are Ireland, Canada, Israel, and India. (See the following Web site.)

Information technology outsourcing by the federal government

Federal contractual arrangements related to information technology may involve the simple storage or archiving of government information, the operation or management of computerized systems, or the entire information technology function of a government institution or agency.

Information technology services may also be outsourced to support the delivery of a government program or function that involves the collection, use, or disclosure of personal information for a specified period, in which the accountability for the program or function remains with the government.

International trade agreements

In reacting to public concerns about privacy, the Government of B.C. amended its Freedom of Information and Protection of Privacy Act. The amendments placed new restrictions on public bodies and service providers from storing, accessing, or disclosing personal information outside Canada.

There are no plans at this time to amend the federal Privacy Act in a similar fashion. This is because such an action could encourage other foreign governments to do the same, choking off the economic benefits to Canada from work outsourced to Canadian suppliers. In addition, the federal government must respect international trade agreements that are not binding on provincial governments.

Canada has signed a number of international agreements, including the North American Free Trade Agreement and the World Trade Organization (WTO) Agreement on Government Procurement.

Any possible changes to Canadian federal laws could only be put in place if the changes fully respected these long established international trade agreements. This is extremely important because the trade agreements play a major role in Canada's economy.

Supporting facts

International trade is vital to Canada

One in every four jobs in Canada is related to international trade.

Businesses, organizations, and governments are not the only groups involved in the global economy. Individual citizens are also participants, and Canadians are among the most avid users of e-commerce.

The need for privacy protection is balanced with the freedom to use a credit card over the Internet to purchase goods and services or to use automated teller machines anywhere in the world.

The most effective ways to protect personal information

Federal privacy laws currently provide appropriate protection of the personal information of Canadians'. These are supplemented by policies that govern the way government institutions do business as well as contract clauses and best practices that specify contractor obligations to protect privacy.

A shared responsibility

Taking a balanced approach to privacy protection is not unique to the federal government: privacy is a shared responsibility.

Other levels of government

Provinces, territories, and local governments all have an obligation to protect information within their control. There are laws and policies, not only federally, but also provincially and territorially, that govern the collection, use, disclosure, retention, and disposal of personal information.

Private companies and organizations

The private sector is accountable for protecting privacy under PIPEDA or similar provincial legislation in a number of provinces. At the time of this report, only B.C., Alberta, and Quebec have privacy legislation similar to PIPEDA—none of the territories or other provinces have such legislation. That said, protecting privacy is more than a case of obeying the law. Respecting privacy laws and following internal policies that help to protect personal information are essential to the trust and confidence of customers.


Canadians also have a responsibility to protect personal information. In her August 18, 2004, submission to the Privacy Commissioner for B.C., the Privacy Commissioner of Canada said that Canadians need to accept responsibility for informing themselves by asking who is using their personal information and for what purpose.

Supporting facts

How to protect your privacy

The Privacy Commissioner of Canada's Web site, has a series of fact sheets designed to inform Canadians on how they can take charge of protecting their personal information.

Federal Response: A Continuous
Risk-management Approach

Approach comprises 4 steps:

  1. Communicate issue to160 institutions
  2. Conduct comprehensive assessment to identify risks and develop mitigation strategy
  3. Develop and implement policy guidance on USA PATRIOT Act risks
  4. Ongoing follow-up
1. Awarness, 2. Identification and mitigation, 3. Guidance, 4. Follow-up

Date modified: