As a Canadian, you might not since there is no Canadian version of the Patriot Act even in light of the shootings on Parliament Hill (22 Oct 2014). Unlike our American neighbours, personal data transferred and stored on Canadian servers is not directly accessible to Canadian intelligence agencies.

Canadians, however, are susceptible to the reaches of American spying initiatives, like the Patriot Act, every day. When you send an email through your Gmail account, your personal data and online behaviour is tracked, transferred and stored on US-based servers. When you’re posting on Facebook, your communications data is tracked, transferred and stored on US-based servers.

This is a growing concern for consumers in the EU, which promoted a landmark decision by the European Court of Justice (ECJ) on the Safe Harbor treaty. Now, many large tech and communications companies must consider how they store and transfer personal data.


In 2013, an unnamed American whistleblower, later revealed as Edwards Snowden, leaked a cache of 20,000 internal documents from the National Security Agency (NSA) to journalists Glenn Greenwald and Laura Poitras. The leak showed that the NSA ran large-scale spying programs including recording “most calls” made in the United States (when the call was made and received as well as the duration of call) as well as messages made via email and on social media platforms.

The scale of the NSA’s data collection was massive. The stated mandate of this initiative was to gather “bulk data on foreign targets” using XKEYSCORE. This once-secret computer system is a collection of software, databases and servers that takes the information collected from various sources and makes it “responsive to search queries.” The NSA was only empowered to collect information in cases where at-least one end of the communications originated/ ended abroad. If the NSA found that the data belonged to an American citizen, the data would be destroyed. Communications data, however, is not clear-cut and it can be difficult to fully separate their domestic and international origins. The NSA, as a result, collects a certain amount of communications data belonging to US citizens.

While US technology firms cooperate with NSA surveillance initiatives, giants like Google, Facebook and Yahoo have stated that they only release information with court orders.

Communications data collection initiatives were increased following the terror attacks on 9/11. The Patriot Act included surveillance procedures designed to help identify and prevent future terrorist attacks. In 2011, President Obama signed a four-year extension on the Patriot Act. Parts of the legislation expired in 2015 and were replaced with the USA Freedom Act. Under section 215, however, the NSA’s ability to collect mass phone data has been curtailed. Data is now collected and retained by phone companies and made available to the NSA with a federal court order.

The EU rejects Mass Surveillance

Since Snowden’s extraordinary leaks, the NSA’s powers and its surveillance procedures have been dramatic fodder for films and TV shows. Yet, the impact on individuals and indeed the dangers of such surveillance tactics is very real. Mass collection of data is by definition imprecise.

In 2015 the European Court of Justice (ECJ) ruled that the Safe Harbour treaty, signed in 2000, poses a privacy risks to European consumers. The treaty allowed for the transfer of personal data, including online behaviour, emails, and passwords. In the wake of Snowden, the free transfer of this information to the US has, predictably, caused concern. The ECJ has found that companies, especially Facebook, do not have adequate provisions in place to protect the personal data of their European customers from US surveillance when data is transferred.

The danger and perceived threat to privacy is such that large US technology firms have started storing data on international servers, which are not subject to the terms of the USA Freedom Act/ Patriot Act. Germany, for example, has strong protections for personal privacy in place. As such, European customers who use Microsoft’s cloud-based products and services will have their data stored on two servers in Germany beginning in 2016.

The economic implications of the ECJ’s decision are far-reaching and any company that does business between the US and EU will have to consider implementing secure procedures and even relocating the bases of business so that they are outside the national jurisdiction of the NSA. Negotiations are on-going but, with consumer concerns paramount, companies will now have to work with the EU’s rejection of US mass surveillance tactics.