The Harper Government’s Surveillance and Cyberbullying Bill Could Hurt Canadian Tech Firms

Canadian tech firms may have their bottom lines to worry about if the government passes its surveillance-expanding Bill C-13. While the Harper government would like to think it's only frightening cyberbullies and criminals with the unpopular law, it may in fact be frightening away business, thanks to warrantless disclosure provisions lurking within.

I met with a few workers from the legal and management sections of a midsized, internationally active tech firm to talk about concerns their company has about the Canadian government's ongoing offensive against digital privacy.

In the course of business, their firm deals with confidential, sensitive information for clients from around the world. Part of the attraction for these clients has been that Canada benefits from a reputation as a data-safe country. It also enjoys certification from the European Union as a country that "ensures an adequate level of [data privacy] protection by reason of its domestic law or of the international commitments it has entered into."

This EU list of data-safe countries is a bigger deal than it might seem at first glance. By law, European firms can't transfer personal data outside of the EU to any country unless it's on the list. If Canada loses its status, we lose a whole lot of current and future business. Not good.

Bill C-13 offers service providers immunity for disclosing sensitive information to police and other authorities without a warrant. This isn't just hypothetical, either—Canadian authorities have been making millions of these requests each year for quite some time.

It's unclear whether C-13 could get Canada kicked off the European pro-privacy list. But it still poses a threat to people looking to send their sensitive information to Canadian companies or through Canadian servers.

As the legal team sources explained, "If I'm a customer, do I share my data with a company running the risk of data exposure?" If the risk is credible enough, as C-13 threatens, the quality of the business and its product are irrelevant. That potential customer may well choose to take their business to a country offering less risk of warrantless, unchecked data breaches.

This all sounds like an overly big deal about one little Canadian law. But let's compare it with a current case that Microsoft is fighting against the US government. Essentially, US authorities want Microsoft to turn over emails stored in an Irish data center. Microsoft claims this data-grab is unconstitutional and they're fighting the warrant in court.

As the Washington Post reports: "Microsoft and other tech firms also fear that if the government prevails and can reach across borders, foreign individuals and businesses will flee to their non-U.S. competitors."

Let's imagine that the US government wins their case against Microsoft. Any firm who doesn't want their sensitive data sent into the giant NSA/FBI/DEA information-sharing combine is now wondering where to take their business. Would they choose Canada? Maybe not, if they knew that authorities here could have warrantless access to some of their data.

This is to say nothing of the other lurking threat to privacy in Canada: dubious controls over Communications Security Establishment Canada (CSEC) and the unknown extent of their domestic spying record. CSEC, Canada's own NSA, are deeply involved with the Five Eyes group of intelligence agencies that's collecting and sharing unknowable amounts of data every day.

Canada's place on the European data-safe country list could in theory be threatened by this close relationship with the NSA. As we've learned, the American agency is hoovering up mountains of Canadian data and storing it indefinitely—a procedure that European courts have already determined to be a violation of basic rights. The NSA's data collection is surely a worry no matter what country you're in, but as the links between CSEC and the NSA continue to deepen, potential customers may not care to see the difference between Canada and the US.

Down south, there are already consequences: businesses are losing trust in the security of their US-held data, regardless of any official data-safe status. As MOTHERBOARD reported, NSA spying has already cost US tech firms billions in lost business, with 38 percent of digital decision-makers already reporting that they'd changed their business plans in response to the Snowden disclosures.

It's no wonder that the business people I spoke with were concerned about the sum total of the Canadian government's actions on digital privacy. If the government carries on with their current agenda without reform, it would be easy for foreign business to get the impression that Canadian-held data is subject to intrusive surveillance by authorities.

Ironically, it's not alldespite bad privacy news coming from Ottawa. The Conservatives' bill S-4, while flawed, proposes to mandate customer notification in the event of a business data breach. This would increase confidence in the data security of Canadian firms. The catch, of course, is that disclosures to the authorities don't count.

With Parliament off for its summer vacation, Bill C-13 is sitting in a strange limbo. Thanks to a recent Supreme Court decision, it's likely that at least parts of C-13 are unconstitutional. This includes the provisions giving legal immunity to service providers who disclose customer information to authorities without a warrant and without the customer's knowledge.

Despite the court case, the Harper government has shown no intention of going back to the drawing board, or even at least splitting Bill C-13 in two to allow for more debate and input from privacy advocates. This is troubling, since the government is refusing to listen to the privacy expert they just appointed by not even splitting the bill.

What does the future hold, then, for C-13? If Minister MacKay presses forward as he's indicated when Parliament resumes, it's likely that the government could find itself in yet another high-level court case about privacy. With lawsuits from civil liberties watchdog groups already on the books over unaccountable spying at CSEC, we could see a legal action from players in the tech-activist privacy coalition against C-13.

As the government keeps silent about making any changes to Bill C-13, it's stubbornly signaling that it doesn't care much about Canadians' privacy. Given its track record, we shouldn't count ourselves as surprised. But we do know that the Harper government does care about its perception as pro-business. As mainstream outcry grows against this "cyberbullying" bill and businesses line up on the side of reasonable privacy protection, the government may finally change its tune.

Chris Malmo is a donor relations coordinator at OpenMedia.

@chrismalmo