Canada, cannabis and the problem of transborder data flows in a globalized world

Recently, Canada became the second country in the world, and the first G7 country, to fully legalize cannabis nationwide. As of October 17, 2018, adult Canadians can, with some restrictions, legally purchase and consume cannabis and, in all but two provinces, even cultivate limited quantities at home for personal consumption.

Legalization entails not only a major shift in criminal law policy for Canada, it also has important implications for the privacy rights of individuals. For one, the Government of Canada has indicated it is willing to grant record suspensions for past convictions for possession of small quantities of cannabis, effectively removing the convictions from police databases and thereby preventing them from appearing in criminal records checks that may be requested by employers, volunteer groups, etc. 
But legalization also entails potentially wider access to details about the purchase and consumption of cannabis by individuals, for instance, via transaction records (in some provinces, cannabis can only at present be purchased online). While individuals may have hesitated before to publicly associate themselves with cannabis they may be less reluctant to do so in a post-legalization world (via social media posts, interviews for newspaper articles, photos taken with others that are later posted online, etc.).

 
When your personal data follows you across the border

But such increased exposure poses risks given that while cannabis is now legal in Canada, it is still generally not so abroad. Transaction data revealing purchases of cannabis may be stored in servers outside of the country. What is posted on social media or in an online news articles may be accessible, via the Internet, to anyone around the world. And having this information accessible abroad can have serious consequences for individuals.

For instance, while cannabis is legal in several US states, it is still prohibited under federal law, which applies at the border. On its website, the Government of Canada cautions: “Previous use of cannabis, or any substance prohibited by U.S. federal laws, could mean that you are denied entry to the U.S.” According to the New York Times, having publicly admitted to previously consuming an illegal substance can be used by border officials to deny entry to the US. Thus, it is not beyond the realm of possibility that a Canadian who celebrates legalization with a celebratory tweet or a public post on Facebook or is interviewed for a news article, which is later posted online, may find him or herself refused entry to the US, potentially for life, as a result.

 
What is noteworthy, for present purposes, is the conflict that can arise when personal data flow across borders and between jurisdictions with different norms. Given the potential differences in legal regimes, the consequences for an individual of having personal data accessible in one jurisdiction may be completely different when that same data are made accessible in another, as the example of cannabis and the US border demonstrates.

 
A link with the de-referencing case?

This is of course not an entirely new problem nor one that is unique to Canada. EU member countries have long sought to deal with this issue by restricting transfers of personal data outside of the EU except to countries that offer an adequate level of protection or where additional safeguards are put in place. This is one important strategy for dealing with the problem but it does not entirely eliminate the conflicts that can occur, particularly when information is publicly available online and thus available in other jurisdictions by default. 

For instance, the issue of whether de-referencing made under EU data protection law should cover searches performed outside of Europe – an issue currently before the Court of Justice of the European Union – puts in stark relief the problem posed by personal data that have been posted online, and that is at once available everywhere and to anyone. This important question will have to be dealt with by the Court in its deliberations.

Are there potential solutions to these types of problems? Countries have long sought to harmonize their data protection regimes as a way of reducing the conflicts that can arise when data flow easily across borders, which can help, and there is some suggestion that the GDPR may be a further incentive in this direction. Could the creation of an international organization for the protection of personal data and privacy also assist? The idea was recently put forward at the International Conference of Data Protection and Privacy Commissioners in Brussels and will no doubt be the object of further discussion. What is for certain is that the issues posed by the flow of personal data across borders are not going away and will require hard work, ingenuity, and, above all, a spirit of cooperation to resolve.