Canadian Cloud Law Blog: 2010

Tuesday, December 14, 2010

American Appeals Court says cops need warrants (with probable cause) to get e-mails

This is great news, both for e-mail users and for greater adoption of cloud computing. Contrary to Department of Justice lawyers (and too many precedents on their side), the US Court of Appeals for the Sixth Circuit has found that stored e-mails can't be accessed by law enforcement without a valid warrant.

The court struck down portions of the Stored Communications Act, which had permitted law enforcement to get their hands on e-mails over 180 days old with only a subpoena.

This may have big implications for cloud computing. One of the problems with US law on this is that the Fourth Amendment has been interpreted to say it doesn't protect the privacy of information held by a third party. So if you hand info over to someone like a bank, a cloud provider, an e-mail provider, etc. the protection is very different than if you have it in your personal possession. Finally the courts may be seeing that handing over data to service providers is the modern reality and privacy protections should keep up.

This is a victory for The Digital Due Process Coalition and its supporters in the United States who are advocating for bringing due process into line with modern technology.

Check out some interesting commentary:

And the decision is here: http://www.ca6.uscourts.gov/opinions.pdf/10a0377p-06.pdf.

Sunday, November 28, 2010

Privacy in the cloud for Canadian universities

This past week, I was invited to speak at the annual get-together of The Canadian University Council of CIOs (CUCCIO) in Toronto on the topic of cloud computing. Many universities in Canada are struggling with the legal and privacy issues of adopting cloud computing, particularly when Google and Microsoft are both offering very attractive (and free!) offerings that would relieve universities of the costs and burdens of administering student and alumni e-mail.

Universities in Alberta, British Columbia and Nova Scotia are particularly hampered by legislation that was designed to thwart the boogeyman represented by the USA Patriot Act.

BC and Nova Scotia have each adopted legislation that either categorically prohibits the "export" of personal information by public bodies, or put in place administrative hurdles. Alberta joins this pack by making it an offense under their public sector privacy law to disclose personal information in response to a "foreign demand for disclosure".

Part of the problem is that the legal framework is not particularly nuanced, as each decision about whether to outsource a service should be guided by a detailed risk assessment and privacy impact assessment instead of ham-fisted categorical rules that don't take particular circumstances into account.

Here is my presentation, which was well received.

If the embedded slideshow isn't showing you the love, click here: https://docs.google.com/present/view?id=ddpx56cg_320fx7rkbhh&interval=30

Monday, October 25, 2010

Privacy Commissioner releases draft report on 2010 consumer privacy consultations

The Privacy Commissioner of Canada has released her draft report on her 2010 Consumer Privacy Consultations that focused on "Online Tracking, Profiling and Targeting and Cloud Computing." You can get to the report here: http://www.priv.gc.ca/resource/consultations/index_e.cfm.

Privacy Commissioner releases draft report on 2010 consumer privacy consultations

Wednesday, October 6, 2010

Ontario Commissioner releases paper on cloud computing

Ontario Commissioner, Anne Cavoukian, has released a new paper on privacy and cloud computing. Here's a summary:

Modelling Cloud Computing Architecture Without Compromising Privacy: A Privacy by Design Approach
As the Internet has evolved, we have seen the emergence of “Cloud computing.” Organizations have begun to leverage the connectivity created by the Internet to optimize the utility of computing. Ever-cheaper and more powerful processing and storage capabilities are allowing data centres to act as viable, large scale central computing hubs. Simultaneously, increasing network bandwidth and reliable yet flexible network connections make it possible for clients – both individual and enterprise – to utilize high quality services which reside solely on these remote central hubs. These services will often include data storage (and real time access) or processing (by remote software and computing resources). This possibility, however, forces clients to re-think the data protection schemes developed for the point-A-to-point-B data flow.

Friday, September 24, 2010

US Senate considers update to Electronic Communications Privacy Act

This past week, the United States Senate Judiciary Committee held hearings on the possible update of the American Electronic Communications Privacy Act. The statute, passed in the 1980s, is in urgent need of an overhaul in an age of cloud computing. The law has its origin in (in my view, perverse) caselaw that says you have no expectation of privacy from the government once you've handed your information over to a third party. The law provides different standards (subpoena vs search warrant) based on the age of the message and whether it has been previously read by the intended recipient. In an age of cloud computing and the widespread use of text messaging, one high standard is required.

From the industry side, the effort for reform is led by the Digital Due Process Coalition, made up of industry leaders such as Google and Microsoft. For a great overview of the issue and the hearings, see here: Senate considers update to Electronic Communications Privacy Act | Gov 2.0. The Google Public Policy blog has information on Google's position, including the written statement by Richard Salgado, their senior lawyer responsible for this area: Digital Due Process: The Time is Now.

The Judiciary Committee page has a webcast link if you want to see the hearing.

Monday, June 21, 2010

Privacy in the Clouds presentation

Below is my slide deck that I presented at the Privacy Commissioner's public consultation on cloud computing in Calgary on June 21, 2010.

Let me know in the comments or by e-mail if you have any problems with the slides.

Saturday, June 19, 2010

Privacy Commissioner's consumer consultation (cloud computing) continues on Monday in Calgary

I've been honoured to be invited as one of the keynote speakers at the Privacy Commissioner's consumer consultations taking place in Calgary on Monday. I'm speaking on the topic of Cloud Computing. The full agenda is here.

The proceedings will be webcast: http://welcome2theshow.com.previewyoursite.com/priv2010/index_calgary.html, starting at 9:00 Mountain time. I think you'll be able to watch it later from the same address if you miss it the first time. Or you can watch it over and over again.

The roster of speakers is very impressive, including:

Mr. Joseph H. Alhadeff, Vice President for Global Public Policy and Chief Privacy Officer, Oracle Corporation
Mr. Shane Schick, Editor-in-Chief, ITWorldCanada (moderator)
Mr. Declan McCullagh, Senior Correspondent, CBS News web site
Mr. Brad Templeton, Director, Electronic Frontier Foundation
Mr. Doug Jones, Cloud Computing Unit Executive, IBM Canada
Mr. Daniel Koffler, Chief Technology Officer, Syntenic
Dr. Andrew Patrick, IT Research Analyst, Office of the Privacy Commissioner of Canada (moderator)
Mr. Scott Morrison, CTO, Layer 7 Technologies
Dr. Tomas Sander, Research Scientist, HP Labs
Mr. Brian O'Higgins, Consultant and Entrepreneur (Founder of Third Brigade), Assistant to the CTO, Trend Micro
Dr. Thomas Keenan, Professor, University of Calgary
Mr. Carman Baggaley, Senior Policy and Research Analyst, Office of the Privacy Commissioner of Canada (moderator)
Ms. Kathryn Ratté, Senior Attorney, Division of Privacy and Identity Protection, Federal Trade Commission
Mr. Mike Hintze, Associate General Counsel, Microsoft
Mr. Adam Kardash, Partner, Heenan Blaikie
Ms. Janet Lo, Legal Counsel, Public Interest Advocacy Centre

About this site and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy and technology lawyer who is a partner with the firm of McInnes Cooper. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws and cloud computing.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients of my firm. If you have a privacy matter, please contact me about becoming a client. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser may not be protected by solicitor-client privilege.

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Due to professional ethics, the author may not be able to comment on matters in which a client has an interest. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to
Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.