Can C-36 Oppose Foreign Data Overreach?

For people who follow data governance closely, extraterritorial access is a widely-discussed concern. U.S. laws like the CLOUD Act and FISA allow the American government to compel companies that operate in the United States to disclose private data upon request.

It is generally agreed that major U.S. companies will obey these laws, and when asked, Microsoft has essentially confirmed as much.

So with C-36, the “Protecting Privacy and Consumer Data Act” tabled in Parliament this week, one immediate question is whether the law would have anything to say about cross-border data flows, and extraterritorial access.

The bottom line: C-36 does not really address these vulnerabilities. In fact, when AI Minister Evan Solomon was asked by journalists about the issue, he said that Canadian law cannot override other nations’ laws. This is fundamentally true, but it also indicates an unwillingness to play hardball — using Canadian law to try to compel Big Tech’s harmful behaviours.

The question was never whether we could change U.S. law with Canadian legislation, but whether we could create laws or policy tools that block American surveillance and intelligence gathering, when it comes to Canadians’ data being stored on Canadian soil.

While Solomon is correct that we cannot override the U.S. legal regime, we can make the cost of compliance much greater by establishing conflicting domestic laws. A “blocking statute” does just that: it is a tool expressly designed to create a conflict between domestic laws and foreign laws or orders.

We look at this idea in-depth in Chapter 7 of Foundations of Digital Sovereignty, which will be published tomorrow, but the short version is: a blocking statute would explicitly say companies operating in Canada cannot comply with orders made under the U.S. CLOUD Act without the request first being subject to Canadian judicial oversight. If penalties are properly enforced, this makes the choice to comply with U.S. laws a lot less obvious for companies.

A blocking statute does not have to come as a part of privacy legislation; in fact, C-36 may not be the appropriate venue at all. However, without such a statute yet on the books this legislation seems to at best be neutral on reducing vulnerabilities to the CLOUD Act and at worst might in fact enhance those vulnerabilities.

So what does C-36 actually do on cross-border data flows? The bill has three main sections that pertain to the transfer of data across borders and to the collection of data in service of law enforcement and intelligence gathering, including by or for foreign governments.

In section 39, C-36 gives organizations leeway to use personal information of individuals without their consent, if the company has reason to suspect that the information might be useful in a criminal investigation — and this applies to federal, provincial, and foreign jurisdictions.

Specifically for law enforcement purposes, Sections 42 and 43 of the C-36 allows for the disclosure of personal information (without an individual’s knowledge or consent) in cases where it is requested by government institutions for the purposes of administering or enforcing laws, conducting investigations, or gathering intelligence — again, in provincial, federal and foreign jurisdictions.

What is captured under this term “government institution” is still unclear and might refer only to Government of Canada institutions requisition information, but may potentially implicate foreign governments as well. The details of this will be further specified in subsequent regulations as per subsection 139(1c).

Companies with U.S. headquarters, which constitute much of our digital infrastructure, will likely already comply with the CLOUD Act either way, but this provides a provision through which the Government of Canada can also compel companies to disclose information that may support U.S. intelligence collecting and investigations.

In many ways this is nothing new but it is an indication of the government’s intention to continue and perhaps deepen our integration with the U.S. intelligence apparatus. This may be necessary for security purposes but we should be clear-eyed about what’s happening here, and the government should explain why it’s necessary.

It is worth dwelling on what these provisions actually do. Far from shielding Canadians from foreign data demands, these sections are permissive carve-outs from consent that expressly authorize use and disclosure for investigations in foreign jurisdictions. This not only doesn’t resist or counter the CLOUD Act, it seems to support the core tenet of the American law by creating a clear path for companies to follow U.S. laws if asked.

And the timing invites an uncomfortable question: right now the government is also advancing Bill C-22, which threatens to undermine end-to-end encryption and compels service providers to assist law enforcement and CSIS — in some cases without a warrant.

C-22 and C-36 work to build potentially important intelligence gathering capabilities for the Canadian government, but also these laws establish a framework where Canadians’ privacy is subordinate to national security and law enforcement investigations.

Another notable aspect of the new data privacy law, C-36, comes in Section 57, where the government stipulates that transfer of information outside of Canada can only be done if the organization does a privacy impact assessment.

The government has not yet defined the parameters of these impact assessments, but organizations will need to  “implement measures to mitigate the risks identified in the privacy impact assessment”.

Examples of such mitigations provided in the document are contractual privacy protection measures, adherence to a code of practice or certification process approved by the Division or any other prescribed measures.” In theory, this provision looks like a digital sovereignty win: providing greater safeguards from extraterritorial overreach.

However, the Section 57 safeguards — contractual clauses, codes of practice, certification — have been deemed insufficient by courts in the European Union. A contractual clause could not stop a CLOUD Act warrant.

When fielding questions from journalists on Parliament Hill, Minister Solomon said, “no law here can undermine the legal regime in another country. We can’t override another country’s legal regime.”

That may be true, but it also sounds like admitting defeat. In reality, there are real strategies that other countries have tried to limit the scope of foreign laws and extraterritorial overreach. We delve into some of those ideas in Foundations of Digital Sovereignty in both Chapter 5 and Chapter 7, which will be published tomorrow. (And we touch on it a little bit in Chapter 4, too!)

The bottom line with C-36 is that it updates the law, but in terms of extraterritorial access to Canadian data, we’re really no better off than we were before — even if companies maybe need to do some privacy assessment paperwork in the future.

Read previous chapters of Foundations of Digital Sovereignty here:

Chapter 1 – Governance is the Foundation of Digital Sovereignty

Chapter 2 – The Weaponization of Governance

Chapter 3 – Invisible Assets

Chapter 4 – Exploited and Underutilized

Chapter 5 – Clouds Without Borders

Chapter 6 – Procuring Sovereignty in the Cloud