Canadian Health Data Requires Stronger Safeguards With Lost Canada-U.S. Trust

With today’s implementation of tariffs on both sides of the Canada-U.S. border, the level of mistrust between our countries has grown, whether urgent calls to “Buy Canadian” or boos and catcalls at the playing of the American national anthem. Should we continue down this path, Mr. Trump will surely seek to exploit more of Canada’s potential vulnerabilities. Last week, I co-wrote an op-ed with Kumanan Wilson on one such vulnerability: our health data, whose protection has yet to attract much attention but which could emerge as an issue.

Canada is fortunate to have access to unique population-based health data, thanks to our publicly funded health system. This data is essential not only for provision of care, but also for monitoring population-wide health trends and as an integral component in the coming health artificial-intelligence revolution.

Much of our health care data starts with family physicians, local hospitals and Canadian health research facilities, but later winds its way into the hands of international companies. Many of those companies are based in the U.S. and subject to foreign legislation that could compel disclosure, even over the privacy objections of affected individuals.
In other words, Canadian health privacy safeguards may have limited effect once the data is outside the country and no longer in the hands of Canadian-controlled entities.

These concerns are not new. The security and sovereignty of our health data emerged as a controversial issue more than two decades ago in the aftermath of the 9/11 attacks and the introduction of the USA PATRIOT Act. That law, alongside other legislation, established powerful rights for governmental authorities to demand that U.S. companies – as well as those companies subject to U.S. jurisdiction – provide access to personal data on national-security grounds.
In response, many Canadian organizations chose to store health data on Canadian-based computer servers as a means to protect this data from U.S. legislation. In fact, some provinces enacted legislation mandating that personal health data be retained within Canada.

And Canada is hardly alone in this regard. In recent years, many countries have enacted similar rules, often referred to as “data residency” or “data localization” requirements that restrict the flow of data across borders in the hope of enhancing the enforceability of national privacy rules.

Given recent turbulent events and the diminishing trust between Canada and the U.S., it is entirely possible that Washington would seek enhanced access to sensitive Canadian data, notably including financial and health data. This data could be invaluable for developing AI algorithms, for instance, a current priority of the Trump administration.
In fact, some of the largest electronic medical records providers, including Epic, Cerner and Meditech, are headquartered in the U.S. and may be unable to avoid American legislation mandating disclosure of data in their possession, potentially under the pretext of a specious national-security argument, for example. Such a scenario would raise privacy alarm bells leading to urgent calls for the government to better protect the health data of millions of Canadians.

Mandated data localization requirements would be an important policy response from Canada. While the end goal would be to establish viable Canadian-controlled cloud services ready to compete with U.S. giants, this may be a way off. An interim measure would involve further beefing up Canadian privacy law by ensuring that Canadian health data is encrypted, resides on servers in Canada and is subject to serious penalties for non-consensual disclosures.

Yet even data localization rules are not without their challenges, since they may create a conflict of laws that puts companies between a proverbial rock and a hard place: Canadian privacy laws mandating that health data remain in Canada, and U.S. rules requiring disclosure under some circumstances. Faced with such a conflict, U.S. companies might well look to the courts for guidance.

In similar circumstances – for example, conflicts between mandated disclosure rules and privacy-protecting Swiss banking laws – courts have considered whether the foreign rules amount to a “blocking statute” in which the company would face serious penalties in the event of unauthorized disclosure. If a blocking statute is in place, the data need not be disclosed. Canadian privacy law would not meet that standard in its current form, requiring that tougher penalties be put in place.

Now is the time for the government to pursue long overdue safeguards to better protect Canadian health data.

The post Canadian Health Data Requires Stronger Safeguards With Lost Canada-U.S. Trust appeared first on Michael Geist.