This week Ellen Richardson, a Canadian citizen trying to fly from Toronto to New York to board a cruise ship bound for international destinations in the Caribbean, was denied permission to transit the U.S. by the DHS, on the basis of her history of clinical depression and her previous suicide attempts in Canada — none of which had involved the police or any criminal charges.

Canadian citizens normally don’t need visas for short-duration visits to the U.S. as tourists. But U.S. law, Title 8 USC Section 1182(A)(iii)(II), forbids entry to any non-U.S. citizen who is determined “to have had a physical or mental disorder and a history of behavior associated with the disorder, which behavior has posed a threat to the property, safety, or welfare of the alien or others and which behavior is likely to recur or to lead to other harmful behavior,” unless they obtain a waiver from one of the doctors specially appointed by the DHS to examine applicants for admission to the U.S.

DHS files about people who aren’t U.S. citizens or residents aren’t subject to the Privacy Act, and the DHS and the NSA claim the authority to collect and retain pretty much any information they can obtain about foreigners, including (at least implicitly) health information and medical records.

The questions being asked in Canada are how the DHS learned of Ms. Richardson’s medical history, whether any Canadian entities disclosed private information to U.S. government agencies, and whether any Canadian laws such as PIPEDA or the Canadian Privacy Act were violated.

There appear to have been at least four ways that the DHS could have learned of Ms. Richardson’s medical history:

1. Some Canadian entity might have knowingly disclosed information about Ms. Richardson to the DHS. This probably wouldn’t violate any U.S. law (foreigners have essentially no statutory privacy protection under U.S. law), but would almost certainly constitute a grave violation of PIPEDA and/or the Canadian Privacy Act by the responsible Canadian entity.
2. Some Canadian entity might have outsourced or disclosed information about Ms. Richardson to an entity in the U.S., which in turn disclosed it to the DHS. Once personal data is in the U.S., no U.S. law restricts its onward transfer to third parties including the DHS or other government agencies.  Many Canadian companies (including, as we’ve previously documented, Air Canada) outsource storage and processing of personal information to companies in the U.S., or share information with U.S. business partners, affiliates, or the like.  When the details are scrutinized, almost all such cross-border data transfers violate PIPEDA and/or the Canadian Privacy Act.
3. The NSA might have hacked some Canadian entity or intercepted intra-Canadian data transfers, and shared its findings with the DHS. Health and medical information hasn’t been specifically mentioned as a target of the NSA’s dragnet or its hacking of foreign databases, but can’t yet be ruled out.
4. The DHS might have searched for “publicly available” information about Ms. Richardson, and happened upon her history of suicide attempts. This seems the most likely explanation, but raises the further question of how often, how systematically, and how deeply DHS components conduct these sorts of Internet or other searches.  Unfortunately, the investigations now being undertaken by Canadian privacy officials are unlikely to shed any light on this question.

We’d love to hear from any whistleblowers or leakers who can shed light on what happened to Ms. Richardson or, more generally, what sorts of Internet or “public-source” data about Canadian and other visitors to the U.S. the DHS is trolling and entering into its permanent files about individuals.