The Canadian and U.S. governments won’t say whether they’re negotiating a bilateral agreement that would make it easier for police in each country to access data stored in the other. But Attorneys General David Lametti and William Barr discussed the issue in a June 2019 meeting in Washington, D.C., The Logic has learned.
The U.K. and Australia have each struck such a deal with the U.S., and top Canadian law enforcement officials have called for Ottawa to do the same, arguing existing procedures to obtain electronic evidence across borders are slow and cumbersome. Civil liberties advocates and some lawyers warn it could undermine privacy protections in Canada.
Talking Point
Federal Attorney General David Lametti and U.S. counterpart William Barr discussed a controversial law that allows police to get faster access to data stored in other countries during a June 2019 meeting, The Logic has learned. Canadian law enforcement agencies want the two countries to do a deal to speed up their increasingly numerous requests for information across the border, but civil liberties groups and lawyers warn it could undermine domestic privacy protections.
The Clarifying Lawful Overseas Use of Data (CLOUD) Act, passed in March 2018, lets the U.S. forge agreements that reduce the number of steps it takes for investigators to obtain information held in other jurisdictions. “With the globalization of communications, Canadian law enforcement is often seeking data held in the U.S.,” states a memo a senior counsel in the justice department’s criminal law policy section wrote for Lametti ahead of the June 2019 meeting, which The Logic obtained via access to information request. The existing process for obtaining such information “can be time consuming and resource intensive and is ill-suited to the digital environment where evidence is more transient, voluminous, and extra-territorial.”
The office of Deputy Prime Minister Chrystia Freeland, the cabinet point-person on U.S.-Canada relations, declined to answer The Logic’s questions about whether Ottawa was seeking a bilateral agreement under the CLOUD Act. Spokesperson Katherine Cuplinskas directed The Logic to the official readout of the June 2019 meeting, which notes that the attorneys general discussed “important cross-border priorities” including “electronic evidence.” The U.S. justice department also declined to comment.
The U.K. signed the first CLOUD Act agreement in October 2019, the same month Australia began negotiating one. The Canadian Association of Chiefs of Police have called for Ottawa to follow suit.
Under the current process, a local police force’s attempt to get data stored in the U.S. might require the participation of the RCMP, both federal justice departments, and state and local authorities across the border, which “can take months and months—sometimes years,” said Anil Kapoor, a criminal law expert. “The theory of the CLOUD Act is to go police force to police force, [which] will make it more efficient.”
Apple, Facebook, Google and Microsoft also supported the law. The bilateral agreements create certainty for tech companies, according to Molly Reynolds, counsel at Torys LLP. “It’s much easier for them to meet their domestic privacy and regulatory obligations when they see their own government having approved [the request process],” she said. A bilateral agreement would “not provide rights to U.S. law enforcement that they didn’t have under other regimes.”
But rights organizations have expressed concern that such deals remove important due process checks. An agreement could allow U.S. agencies to bypass the Canadian government in their pursuit of data, giving them “the ability to investigate in Canada, even where it would violate Canadian residents’ constitutional rights,” according to Michael Bryant, executive director of the Canadian Civil Liberties Association.
U.S. authorities may also engage in “fishing expeditions,” which the slowness of the existing process disincentivizes, he said. And “Canadian law enforcement authorities will have a new tool to collect information in a fashion that is going to put a lot of people’s due process rights at risk.”
Advocacy groups also worry about a “race to the bottom” in CLOUD Act negotiations—each side waiving compliance with strict domestic privacy rules to gain greater access. For example, U.S. law protects the contents of private text communications like emails, but Canada has stronger rules on subscriber and financial information and other metadata that service providers store in the cloud, said Gerald Chan, a partner at Stockwoods LLP.
The Office of the Privacy Commissioner has discussed the CLOUD Act with the justice and public safety departments, but hasn’t been consulted on any specific plans for a bilateral agreement, said spokesperson Vito Picelli. The watchdog said it would support a deal that “provides explicit safeguards” and that the government must maintain court oversight by requiring judicial authorization of warrants and information production orders.
But Lametti will “be under great pressure from [Canadian] law enforcement to not do that” because the rule would likely be reciprocal and “the last thing they want is to have to apply for another warrant,” said Kapoor. Any crime with financial implications is likely to involve data stored in the U.S., since it’s home to so many major banks, tech companies and other major businesses. So “foreign law enforcement will want the broadest access possible.”
Chan said Ottawa could also negotiate added safeguards, such as a provision that U.S. court orders can’t specifically target Canadian residents’ information, as the CLOUD Act does for Americans. The government will need to ensure any bilateral agreement includes ways for companies to challenge U.S. orders they believe are illegal, and clearly outline any penalties for non-compliance, Reynolds said.
“There’s certainly a value in transparency from our own government as there are discussions of a bilateral agreement,” she noted, although the successful NAFTA renegotiation suggests the deal won’t just be on the U.S.’s terms. The government would also need to introduce legislation to enact the deal and change any domestic laws affected, giving parliamentarians an opportunity to review it.
Chan said the cross-border evidence-gathering process has protected Canadians’ privacy “very effectively,” and a bilateral agreement shouldn’t dilute those rights. “We create so much data about ourselves these days [and] store so much of that data with cloud service providers,” said Chan. “It is all the more important in this age that we have robust legal protections for the privacy of that data.”
