How to address Canada’s digital data disclosures with the U.S.

In a nutshell

The CBA’s Privacy and Access Section weighs in on when the existing mutual legal assistance framework should be replaced with a speedier process allowing tech companies to surrender data to foreign entities for investigation or prosecution of serious crimes.

Background and general principles

The 2018 Clarifying Lawful Overseas Use of Data Act, or CLOUD Act, enables U.S. tech companies to share user data directly with certain foreign governments when asked to help investigate serious crimes. This process requires executive agreements between the U.S. and foreign governments. This process requires executive agreements between the U.S. and trusted partner countries, currently in place with the United Kingdom and Australia. Canada and the U.S. began negotiations in spring 2022.

If such an agreement is implemented, the process by which Canadian authorities could access data held by U.S.-based tech companies, such as Google, will be much faster than through the existing MLA process requests. The reverse is also true for U.S. authorities accessing data held by Canadian companies.

While the CBA Section supports Canadian companies giving “full ‘faith and credit’ to foreign orders related to the investigation of non-Canadians where human rights and rule of law standards are met, and on a reciprocal basis,” it recommends retaining the existing MLA framework for investigations involving Canadian persons. This would ensure each request is reviewed by the relevant Canadian authority.

Exemptions needed

Federal and provincial government institutions and public bodies should be “exempt from providing data directly in response to foreign orders,” the letter reads, adding that this exemption should also extend to private-sector providers handling data on behalf of a government or public body.

The Section notes that other countries may pursue reciprocal agreements under the CLOUD Act. It suggests amending the Criminal Code to create a special category of extraterritorial production orders. These orders would apply only to requests from countries with reciprocal arrangements, provided a Canadian judge determines the criteria are met.

Updating privacy laws

Many privacy regimes in Canada allow for the disclosure of personal information “where required by law.” The CBA recommends amending these laws to specify that this applies only to foreign warrants under a bilateral agreement with Canada. “Unless the exception is specific to bilateral agreements, it could inadvertently permit disclosures to countries with problematic human rights records,” the letter states. Existing laws should ensure international disclosures are permitted only when authorized by Canadian legislation.

Review

Finally, the Canadian enabling legislation should include a mechanism whereby foreign orders are reviewed by a Canadian authority for compliance with the bilateral agreement. Also, Canadian service providers should retain the right to seek review of requests in Canadian courts, as they do under the existing MLA framework.

Read the submission.