Cloud Computing in Canada and the Impact of the US Patriot Act
Disclaimer! The information here is presented as just that: information only. I am not a lawyer and I get most of my info the same way you do – I Google it. So don’t take my word as gospel, consult legal representation and don’t even think of suing me if it all goes to Hell in a hand basket. There. Now that that’s out of the way…
This subject falls into the category of Top 10 Questions. The cloud is buzzing like a horde of angry bees and many folks are wondering if / how they should get involved in the biggest craze since the selfie-stick (don’t even get me started…) and just what some of the legal ramifications of the Patriot Act are should they get involved with a US-based outfit. And let me start with before even saying the words “cloud services” you need to assess your current IT infrastructure, including any existing outsourced IT and network support, not to mention an in-depth needs analysis. But I have already written a blog about that so straight to business.
Are there any restrictions on outsourcing to a non-Canadian company?
A note on nomenclature… Outsourcing to the cloud can mean anything from a massive Salesforce or AP implementation to email hosting to just lobbing some files up into Dropbox so you can look at whilst you languishing at the airport tomorrow. Think of it this way: if it leaves the confines of your network – and that includes laptops, tabs, smartphones, and memory sticks – and spends anytime camped out on external storage (free or otherwise) it’s been outsourced.
Regarding restrictions, this is somewhat dependent on the kind of business you are in, but generally speaking, there are no laws governing whether or not you can export personal information to a foreign held company. However, privacy laws do exist that require you to make a “best efforts” attempt to safeguard the security of that personal information. Organizations such as banks, law firms, hospitals and medical offices, stock traders, etc. may have further stipulations in regards to information protection but essentially, you are indeed on the hook if you are a publicly traded company and you don’t disclose the fact that some of your data lives outside of Canada. But it is interesting to note that initially, the Law Society of BC’s stance on data residing outside of BC, let alone the rest of Canada, was that it is strictly verboten. That has changed though because well, are you kidding me? You can use the cloud for any kind of hosting you want so long as that host keeps it all here at home in la-la land? Once everyone all stopped laughing, a collective virtual middle finger was raised and the stance was changed to (and I paraphrase) “Do whatever the Hell you want to do but it’s on you if it all goes south.” (pardon the pun).
So exactly what is the Patriot Act then?
In the year 2001, The US Congress passed a law that expanded the powers of the national security agencies to aid in their efforts in gathering information in connection with anti-terrorism initiatives. This frightens many Canadian companies to the point that they won’t take any chances on a run-in with Uncle Sam and the Men in Black. Truth is though, nobody (NSA aside) protects privacy like our southern brethren and the stipulations that they have in place make it extremely difficult to get the internet equivalent of a search warrant. You’d really have to set off some red flags for it to happen – they need probable cause and if you run a legitimate business, you have precious little concern. Still, there are some bona fide concerns and as such, the BC Privacy Commissioner’s office did carry out an inquiry once the dust settled on Dubya’s signature. In the end, at least in BC, companies can indeed export private information to a foreign held company so long as they have the express consent of the individual(s) impacted AND must also report any demands for disclosure (by law) AND they must make reasonable efforts to safeguard that private information. Reasonable efforts meaning you did everything that was in your power (and budget) to ensure the utmost in security.
Is the Patriot Act more about privacy in the internet age than it is about Spy vs. Spy?
Good question, but again it does depend. The meat of the Patriot Act (and the stuff that has most people crying “no fair”) has its own equivalents in Canadian Law anyway. So that means CSIS can issue secret court orders, warrantless phone tapping, even the procurement of information from your local Internet Service Provider – all without your knowledge; again though, you’d really have to be raising eyebrows to even attract their attention. And it should also be noted that European laws are far more reaching than their North American counterparts and that includes the actual incidence of interception of data. Case in point – the Italian government intercept somewhere in the neighbourhood of 75,000 to 100,000 data transmissions yearly. The Americans? 1500 – 2000 interceptions yearly. Numbers in Canada compare to the US and given their population is 10 times ours, I would say we have bigger fish to fry than the Patriot Act. Truth is we are far more likely to get our data frisked by Canadian authorities than we are by Big Brother.
Does it help that we keep all of our data in Canada?
Nope. Not even close. Using Office 365 or Azure? US company irrespective of whether it is in a Canadian data centre or not. Hosting with Amazon Web Services? Same deal. Doing remote data backups to a Canadian company? Better hope they don’t have American data replication sites as is often the case. Actually – forget all of that because it is about as important as the federal Green Party. Fact is, Canada has agreements with most of the democracies in the western world that result in mutual efforts to find those nasty no-goodniks out there in the ether, irrespective of where they plant their flags. So if Big Bro suspects that an agent of terror is using a ‘puter in Canada with which to direct their nefarious goings-on, you can throw privacy in the bin along with yesterday’s coffee grounds. They will simply drop a dime to the RCMP or CSIS and you can bet your bits and bytes that they will get the complete assistance of Canadian authorities. You should also be aware that if you have an office outside of Canada (even a single road warrior operating stateside), our southern cousins consider y’all to be an American company and yes, that includes any and all hosting companies you may subscribe to – even the ones in Canada! Truthfully? Your private information may be harder to get at if it is on American soil than it is if it stays in the land of back bacon and igloos.
So exactly what are my legal requirements in reference to privacy then?
Canada is curiously mum’s the word on this but at the end of the day, protection of privacy safeguards must be equivalent to the sensitivity of the data you are protecting. So the higher the data sensitivity, the higher the security measures you need to enact. Do remember though, legally it’s all about reasonable efforts, after all if the bad guys really want your 1’s and 0’s, they’ll find a way – they always do. Just so long as you actually try really, really hard to protect your private data, no one can legally fault you.
Is it safer in the cloud than hosting it myself?
Data is only as safe as you or the host make it. Most of the client networks we support are very secure – business grade firewalls and routers, aggressive antivirus policies, stringent patching – all of which go a very long way in keeping the gremlins from the gates. But knowing how secure the company that hosts your data is, is a bit of a crap shoot; you have no idea how secure they are, only how secure they SAY they are. All other things being equal though, data in the cloud is as safe or safer than that which you host yourself given the resources available to the host in a large-scale deployment of cloud services.
So what is my “best practice” advice for deciding whether to use a cloud based service? Obviously you need to do your homework on the host. Are they reputable? What is their policy on privacy? Does it comply with existing law (your corporate lawyer can help you with that)? Does it comply you’re your corporate policy? Does the outsourced piece contain sensitive data? Many questions, but again your corporate legal eagles can help you sort this out. At the very least, you need to conduct a privacy impact assessment (see above comments on lawyers).
At the end of the day, cloud is good and cloud is great but… (and this is a really big but), you really need to carefully examine the prospective service(s) and the company offering them to ensure they meet your needs and your budget, they make you more efficient and / or profitable and most importantly, they should never leave you exposed legally. Do your homework and engage your lawyer and your network support people – be they outsourced IT support or otherwise.