The United States will enter into negotiations with Canada on an agreement to allow police with court orders to get easier access on both sides of the border to the personal data of subscribers held by Google, Facebook, and other internet service providers involving alleged criminal offences.
The two countries made that announcement last week when they also promised to work closer to fight cybercrime – particularly ransomware – and shore up critical infrastructure.
The move was welcomed by two privacy lawyers here as a way to clarify the reach of Canadian and American courts.
“While welcome, it always does not explain what limits (if any) will be placed to avoid overreach and potential violations of civil liberties,” said Imran Ahmad, co-head of the information governance, privacy and cybersecurity practice at the Norton Rose Fulbright law firm in Toronto.
According to Halifax privacy lawyer David Fraser, if successful, the bilateral agreement would likely be similar to ones signed with the United Kingdom and Australia under what’s known as the U.S. CLOUD Act (for the Australian government’s interpretation of how the agreement would work see this document).
It won’t be easy, Fraser said in an interview, nor will it be quick. Parliament will have to amend its private sector privacy law (currently the Personal Information Privacy and Electronic Documents Act, or PIPEDA, although the Liberal government has promised a new one will be introduced soon), and several provinces will have to change their provincial privacy acts. In the U.S., Congress will have to approve any deal.
Fraser also warned legislators to be wary of pressure from Canadian police forces to use the agreement to push again for what they call lawful access to internet subscriber information without court orders.
”I think there’s going to be some fuss and loud noises made from certain quarters related to amendments to Canadian privacy laws in order to facilitate this,” he predicted.
The need to work out an agreement under the CLOUD Act (which is short for the Clarifying Lawful Overseas Use of Data Act) stems from controversial attempts by the U.S. to demand data held in foreign countries by U.S.-owned companies. The most well-known example was a demand by the U.S. under its Stored Communications Act for Microsoft to produce emails of a customer over an alleged criminal offence. Microsoft refused, saying the data was held on a server in Ireland, where, it argued, a U.S. search warrant doesn’t apply. A U.S. appeal court agreed. However, in a case involving Google, another court upheld a similar warrant. To clear up the law, Congress passed the CLOUD Act, giving Washington the ability to negotiate bilateral agreements with nations so American companies can more easily disclose personal information to foreign police agencies, and in return companies in foreign countries can more easily disclose information to U.S. authorities.
“This lowers the barriers,” said Fraser. “Right now when Canadian law enforcement are looking for data held by a U.S. service provider – which happens daily, I can tell you – they will go to a Canadian court. In some cases a Canadian court will refuse to grant them a production order because the third party company is not in Canada, and technically speaking Canadian production orders and search warrants and things like that have no effect outside of this country. If they get an order, most U.S. providers will comply with it to the extent that they legally can. But there are privacy laws in the United States – the Stored Communications Act – which says that a U.S. service provider cannot provide the content of any communications to law enforcement except for a qualifying warrant, which can only be issued by a U.S. court.”
As a result police here have to use the Mutual Legal Assistance Treaty with the U.S. to get court orders here enforced. He called it a “cumbersome” process where Canadian Justice department officials make a request to the U.S. Justice Department, which then gets a U.S. court order for an American service provider to give it the information which comes to Canada. Usually it takes two months, but it can be longer.
An agreement under the CLOUD Act is “an express lane,” he said, for both countries.
“If it’s like the Australia agreement, it wouldn’t make Canadian court order enforceable in the U.S.,” Fraser said, “but it would allow U.S. providers to comply with those orders if they meet the criteria of the executive agreement.” For example, the alleged offence has to be a serious crime, and the court order has to comply with the legal obligations in each country. A CLOUD Act agreement allows an organization being served with a court order to challenge it under that country’s laws.
Canadian law is just as murky as American law in terms of how far a search warrant or production order can go in the internet era. For example, Fraser noted a British Columbia case where police wanted non-content information on a Craigslist user. Craigslist, which operates from the U.S., said it would only comply with a court order. However, a Justice of the Peace said they had no jurisdiction to order a business outside of Canada to do anything. But the B.C. Court of Appeal said having a virtual presence in the province is enough to be considered presence here and a production order could be issued.
On the other hand, a Newfoundland judge in a similar case ruled the other way.
Most American service providers will provide information to Canadian police under a Canadian production order if it doesn’t violate U.S. law, Fraser added. For example, in the first half of 2021, Twitter reports that it received 56 information requests on about 63 accounts and it complied with 45 per cent of them.
Meta/Facebook reports it received 1,110 “legal process requests” from Canada and complied with 82 per cent of them.