The electronic health records of Canadians need more protections to prevent foreign entities from accessing patient data, according to comments at the Canadian Medical Association Journal.
“The Canadian Privacy Law is very outdated,” said Michael Geist, a law professor and Canadian research president and electronic commerce law at the University of Ottawa and co -author of the comment. “Now we are talking about decades since the last important change.”
Geist says that electronic medical record systems of clinics and hospitals, which contain patient health information, are often controlled by US companies. The data is encrypted and stored mainly in cloud servers in Canada, but because they are owned by US companies, they are subject to US laws.
For example, Geist points out, the United States approved the use of legal data abroad clarified (Cloud) act In 2018, which can force companies to disseminate customer information for criminal investigations, even if stored outside the United States. The law allows bilateral agreements with the United States and other countries. Canada and the United States began negotiations in 2022.
Companies have “Canadian laws that can say that they must provide appropriate protections for that data,” Geist said. “But they can have a law of us that could force them to reveal that information.”
Canada’s laws, says Geist, have not yet found a way to respond to that.
How health data could be used
Cmaj’s comment says “privacy, security and serious economic risks arise when companies in other countries have and use Canadian data.”
Among them, the authors indicate the potential use of this information for the surveillance of the application of the law, or by private companies that seek to use the data to earn money.
Health data are deeply personal, and the political tensions of Canada-United States in progress can cause some to be even more cautious about where and how their information is stored and use, says Lorian Hardcastle, assistant professor at the Law School and the Cumming Medicine School of the University of Calgary.
“There is a convincing argument to say: ‘Well, you know, we just need to have this information stored in Canada and not have those deals with US companies,” said Hardcastle.
In addition to Cloud’s law, another Geist concern presents is the potential for foreign companies to benefit from Canadian health data. With the growth of AI, Geist says that the data has become increasingly valuable, a tremendous information group that could be used to generate AI algorithms. (Cloud companies say that their customers possess and control their own data).
“We should be the ones who benefit us from that,” Geist said. “We should be those who have the right to appropriate privacy protections.”
Dr. Sheryl Spithoff, an assistant professor at Toronto University, says that these risks highlight how Canada’s privacy laws fall short.
“These data are patient data. It belongs to patients. That should be used for reasons that are of interest, that provide benefits, which do not cause harm.”
Technology companies respond
CMAJ’s comment says that three companies in the US cloud. Uu dominate: Google Cloud, Microsoft Azure and Amazon Web Services.
Google told CBC News that “customer data belong to our clients, not Google Cloud.” He says that, like many technological companies, he receives requests from governments and courts to reveal client information, usually as part of criminal investigations. The company says that a “transparent, fair and exhaustive process” follows to respond. He did not specifically comment on Canadian health data.
“Google provides a case -by -case response, taking into account different circumstances and informed by the legal requirements, customer agreements and privacy policies,” he said.
“We are committed to protecting privacy and at the same time comply with applicable laws.”
Microsoft said that in the second half of 2022, of the almost 5,000 demands of “consumer data” that received 53 control orders sought by stored content outside the United States.
“The Microsoft compliance equipment reviews the government data of the client data to ensure that the applications are valid, rejects those that are not valid and only provide the data specified in the legal order.”
Amazon said “does not disclose customer information in response to government demands unless we are required to do so to comply with a legally valid and binding order.”
In a statement, a Amazon Web Services spokesman wrote “there have been no data requests to AWS that resulted in the United States government dissemination from the data of business or government content stored outside the United States since we started informing statistics.”
Limits to the privacy laws of Canada
Privacy experts say that the failure of Canada’s privacy laws to maintain the rhythm of changing technology has put the sovereignty of data in the country at risk.
Geist says that the strengthening of provincial laws and the Federal Law on the Protection of Information Information and Electronic Documents, known as Pipe.
In his comment, Geist asks “stronger sanctions for unauthorized dissemination of personal information without consent and guidance that the orders of foreign courts related to Canadian data are inapplicable in Canada.”
Innovation, Science and Economic Development Canada says that Pipe.
Geist also asks that the country develop Canadian cloud servers for health data, and make sure the data is housed in the Canadian soil.
The richness of the health information generated by the medical care system must remain in Canada and benefit the Canadians, says Geist. He and his co -authors see the potential for health algorithms that Canadian companies develop in Canada, with solid safeguards, to support medical care decisions “based on the representative data of the population of Canada.”
