Friday, June 10, 2011

Legal issues in cloud computing contracts

Yesterday, IT World Canada published a very lengthy article on the manifold legal issues that need to be considered when a company moves its data to the cloud, including a lengthy interview with me given a little while ago.

Here's the first part ...

Canadian cloud contracts: Liabilities and limitations - Page 1 - Leadership

More companies in Canada are turning to the cloud — or, at least, thinking about it — for flexibility, agility and cost savings. But there is often the perception that using cloud-computing services could compromise corporate and customer data, or may even be against the law.

But there’s no law that prevents most Canadian businesses from exporting personal information, said David Fraser, partner with McInnis Cooper, president of the Canadian IT Law Association and chair of the National Privacy and Access Law Section of the Canadian Bar Association.

“Once you move into a real cloud computing model, all of a sudden you don’t know where your data is — where in Canada or where in the world — and we’ve seen a big privacy-related backlash against cloud computing,” he said. So a large part of his job is telling people they’re wrong, since there’s a huge amount of misinformation out there.

Private-sector privacy laws require that you ensure a comparable level of security for personal information, regardless of whether you permit it to be managed by a Canadian company or a non-Canadian company. And some highly regulated industries, such as banking, have special rules that may include additional regulation for outsourced services.

“The Patriot Act is the big thing that people freak out about,” he said, “but we have a Canadian version of the Patriot Act, which is just as offensive.”

Here’s the deal: In 2001, the U.S. Congress passed the USA Patriot Act, which expanded the powers of law enforcement and national security agencies to carry out investigations and obtain intelligence in connection with anti-terrorism investigations.

But the provisions that have attracted the most criticism, said Fraser, have equivalents under Canadian law. Regardless of where information resides, it will always be subject to lawful disclosure to law enforcement or national security bodies. In Canada, he said, this includes search warrants under the Criminal Code of Canada and the Canadian Security Intelligence Service Act. Many European countries also permit broader law enforcement and national security access to information than in both the U.S. and Canada.

Of course, where the data sits can have an impact on that data. If it’s in North Korea or China, it’s at high risk, said Fraser. In the U.S., it may in some cases be significant, but in most cases it won’t be. “How interested would the FBI be in getting their hands on that data and would they be able to justify getting a subpoena? In most cases no,” he said. “And if it’s a person of interest they can get it in Canada.”

Many people are surprised to learn there’s a secret court in the U.S. where judges hear applications made by Department of Justice lawyers for search warrants (and other such things) and there’s nobody on the other side to oppose those applications.

“We have a secret court in Canada,” said Fraser. “We have a bunker in Ottawa where judges hear lawyers from the Department of Justice and CSIS for warrants to do things as potentially offensive as break into your house and install wiretapping equipment. These orders can specifically provide for authorities to go back in and change the batteries. So people don’t often think that Canada is engaged in these types of cloak and dagger things, and we are. Our definition of anti-terrorism is as broad and offensive as the U.S.”

Canadian authorities have virtually identical powers under the Canadian Security Intelligence Service Act, he said, which permits secret court orders that authorize CSIS to intercept communications or to obtain anything named in the warrant.

On top of that, Canada has a mutual legal assistance treaty with the U.S. (as well as informal agreements), so if the FBI wants data and it’s in the hands of a Canadian company, the FBI calls the RCMP or CSIS. “So when you dig into it, that cross-border issue, at least in most cases, really is not the large issue that many people are led to believe it is,” he said, adding that the Patriot Act has become shorthand for just saying no.

Only British Columbia and Nova Scotia have laws strictly regulating the export of personal information from Canada by public bodies, said Fraser. For all other jurisdictions, including the federal jurisdiction, export is permitted, but the public body must ensure a comparable level of security for personal information, regardless of whether it’s managed by a Canadian or non-Canadian company.

What businesses need to do is benchmark their existing privacy infrastructure and compare it to the privacy infrastructure of the proposed cloud provider. What are the real risks to the data, and to privacy and security? A lot of businesses have significant existing vulnerabilities — from insecure desktops, to playing catch-up with security patches, to mobile employees running around with laptops. Or thumb drives. “Nothing is more stupid or dangerous,” said Fraser. “In a cloud model if the computer is lost you lose nothing.”

Very often, this benchmark leans heavily in favour of the cloud provider that has squadrons of security people. Small businesses, in particular, are vulnerable to power outages and basic continuity issues. A reputable large-scale cloud provider will have multiple data centres, so things will stay up and running.

Read more ...


  1. Informative article, David, but do you really think it stands true that Canadian laws are "just as offensive" as the Patriot act provisions? Certainly both jurisdictions provide procedures for law enforcement agencies to intercept communications and order the production of data, but, from my understanding, the safeguards are different.

    First of all, under the CSIS Act, the standard is that an agent must be reasonable grounds to believe that a warrant is "required" to enable an investigation. Under the Patriot Act, the standard is only that there needs to be reasonable grounds to believe that the information sought will be "relevant" to the invesgitation.

    Secondly, the extent of constitutional protection differs. The current view of the U.S. Justice Department is that obtaining "driver’s license records, hotel records, car rental records, apartment leasing records, credit card records," etc. under s. 215 of the Patriot Act is constitutional, as this is not even considered a "search". On the contrary, given Canadian jurisprudence of s. 8, at the very least information such as credit card records should fall under a "reasonable expectation of privacy" and thus fall under Charter scrutiny.

    Third, there's a growing body of evidence that U.S. law enforcement agents are not even respecting the already-minimal threshold in place there. U.S. Senators have revealed that the DOJ is relying on a secret legal opinion that allows them to rely on an undisclosed loophole in the current legislation (e.g. see

    Certainly, authorities can obtain computer data from servers in both Canada and the U.S., but at least there's currently a bit more protection here from unauthorized use of these powers.

  2. I have reviewed your Law Firm Blog. You gave me lots of important law information. I will apply this topic in my firm. I have enjoyed reading it.

    “Chad Wuertz Indianapolis”