Update (December 2017): Beginning in 2017, certain accounts created in Canada have their survey questions and survey responses stored locally in Canada. All other account information remains stored in the United States. Learn more here.
Although SurveyMonkey is used by many Canadian customers, one concern we commonly hear from Canadians looking for a survey tool is that SurveyMonkey stores customers’ data in the United States. The reason for their concern arises from the perceived privacy risk that the U.S. Patriot Act imposes.
Background
The Patriot Act was enacted in the aftermath of the 9/11 terrorist attacks and it permits certain U.S. government officials to obtain access to personal information stored on computers located in the U.S. without requiring the notification of the person to whom the information relates. In response to this, a handful of Canadian provinces imposed restrictions on their public bodies that require them to store any personal information under their control within Canada, subject to a few exceptions. A recent article in the Vancouver Observer blog has even pointed out this risk specifically in relation to SurveyMonkey.
However, for the vast majority of Canadians, we believe that the practical likelihood the U.S. government will use the Patriot Act to pry into your survey data is so unlikely, that it really shouldn’t be something that keeps you up at night. In this blog post, we explain why.
We think the risk imposed by the U.S. Patriot Act is greatly overstated
For all the hoopla that surrounds the Patriot Act, it is not a blanket authorization for the U.S. government to pry into the personal information of Canadians that is stored in the U.S. It permits certain FBI officials to request an order which allows them to obtain “any tangible thing” as part of “an investigation to protect against international terrorism or clandestine intelligence activities.” A court must then review and approve all such requests. In the absence of illegal activity, and as long as survey creators and respondents abide by SurveyMonkey’s Terms of Use, there is little reason for the U.S. government to make a Patriot Act data request concerning your data. It’s just not a likely scenario.
Writing in relation to the procurement of the health records of Canadians, Stewart Baker, a former general counsel of the National Security Agency and Department of Homeland Security official noted that “it is hard to imagine a set of facts under which investigators could persuade the [United States Foreign Intelligence Surveillance Court] that any British Columbian health records … are relevant to an investigation to protect against international terrorism or clandestine intelligence activities. The request would not withstand judicial review.”
But don’t just take our word for it—various Canadians have made similar points. Geoff Plant QC, a former Attorney General of British Columbia, has written that the “risk of access to Canadian information under the Patriot Act” is “minimal.” Similarly, Martin Kratz QC, who heads up the intellectual property practice of Bennett Jones LLP, a prominent Canadian law firm, wrote an opinion letter describing such access as “highly unlikely.” Dr. Ann Cavoukian, the Privacy Commissioner of Ontario, said in an article that she was “not worried” that hospitals in Ontario were outsourcing data processing services to a U.S. company.
Governments don’t need the Patriot Act to access data
To put things in perspective, even in Canada legal mechanisms exist which may compromise the privacy of Canadians’ personal information. For example, subpoenas and other judicial orders could be used by private and public parties to seek access to such information. The Canadian Security Intelligence Service Act contains provisions which allow a government agency to apply for a warrant to obtain information “to investigate a threat to the security of Canada.” British Columbia’s laws also permit law enforcement agencies to disclose personal information to “a law enforcement agency in a foreign country under an arrangement, a written agreement, a treaty or provincial or Canadian legislative authority.” Governments don’t need the Patriot Act to get at your information, but most of us are fine with that.
SurveyMonkey lets you collect anonymous survey responses
If you are worried that your survey responses could be exposed to the U.S. government, SurveyMonkey allows you to conduct anonymous surveys in which no personally identifying information is collected from survey respondents (including IP addresses). If you don’t collect the information, it can’t be exposed! We wrote a page explaining how customers can do this: http://help.surveymonkey.com/articles/en_US/kb/How-do-I-make-surveys-anonymous.
The Patriot Act shouldn’t discourage anyone from using SurveyMonkey
As David Flaherty, British Columbia’s inaugural Privacy Commissioner, has pointed out, protecting privacy is about “balancing competing interests.” (For full disclosure, Mr. Flaherty was a consultant to SurveyMonkey and assisted in the development of our current Privacy Policy.) As Privacy Commissioner for Canada’s largest province in economic terms, Dr. Ann Cavoukian seems to recognize this too. A news article reported that she “conceded there’s nothing in Ontario’s privacy laws that prevents hospitals or other organizations from outsourcing information. ‘We don’t want to handcuff organizations from using the services of companies in other jurisdictions with better expertise and who can deliver them at better cost,’ she said.”
With over a dozen years in the business and a registered user base of over 8 million, including 100% of Fortune 100 companies, SurveyMonkey is the global leader in the online self-service survey tools industry. As long as you aren’t prohibited from using SurveyMonkey by local laws or policies, we encourage you to consider this: SurveyMonkey can’t guarantee the absolute privacy of your data—no internet company truly can—but ultimately we believe that the many benefits offered by our survey solutions–ease of use, speed of deployment, cost effectiveness, and high standards of security—far outweigh the minimal, theoretical privacy risk posed by the Patriot Act.
Please feel free to use the Comments section below to ask any questions you may have or let us know what additional information we can provide about our privacy and data collection policies.