Wednesday, December 19, 2012

Keeping data in Canada provides illusory protection against foreign government access

I was invited by CATA to give a presentation on cloud computing, privacy and cross border data flows for a number of its members and stakeholders who are involved with the fledgling Shared Services initiative coming out of the Government of Canada.

Here is the presentation, in case it is of interest:

IT World Canada was in attendance and has posted the following article:

Keeping data here no protection against US: Lawyer:

Ottawa may not allow cloud providers to store citizens' data across the border. But a lawyer says a better protection against US law is risk mitigation

By: Howard Solomon

ComputerWorld Canada (19 Dec 2012)

The refusal of some federal government departments to allow outsourcers to store personal data of citizens outside Canada won’t keep foreign governments from getting legal access to it, says a lawyer who specializes in cloud computing.

“Data sovereignty is a bit of an illusion because we’re so interconnected (with law enforcement agencies) and there’s so much data sharing taking place,” David Fraser told an audio conference call Tuesday sponsored by the Canadian Advanced Technology Alliance (CATA).

In particular, fears that the USA Patriot Act acts as a “huge vacuum cleaner” for American law enforcement agencies to get at personal data is baseless, he said.

The Patriot Act is a “boogey man,” he said.

The fact is most developed countries have legal tools that allow their law enforcement agencies to make legal claims on data held in their countries or outside their borders, Fraser said.

Fraser, a partners with the Halifax firm McInnes Cooper, argued the real issue for Ottawa when considering outsourcing that includes storing data in the U.S. should be assessing the risk that data can be lost or unlawfully accessed and taking steps to lower the risk.

The teleconference is part of a campaign by CATA, which represents IT manufacturers, solution providers, system integrators and consultants trying to sell products and services to governments, to get Ottawa to clarify its position on outsourcing data.

In an interview John Reid, CATA chief executive officer, said that since the creation last year of Shared Services Canada, an agency trying to consolidate federal IT services, the government has suggested it may mandate that personal data of citizens must be held in data centres here.

There isn’t a formal federal policy on cross-border data storage, Fraser told the conference call. Nor is there federal law that prohibits it. Instead, it is up to individual departments to do a risk assessment if they decide cross-border data storage is justified and take appropriate privacy measures. Only two provinces, British Columbia and Nova Scotia, have policies forbidding cloud providers from storing provincial data outside Canada.

Shared Services Canada has been trying to create new buying and outsourcing policies, setting up several committees on which CATA and other private sector groups sit. It is those committees, Reid said, that CATA is getting signals of SSC’s only-in-Canada intent.

Earlier this month CATA sent a letter to SSC asking for the department’s intentions, but Reid said he hasn’t had a reply yet.

The department didn’t respond to a request Tuesday from IT World Canada for clarification

One person on the conference call said some government departments already demand in requests for proposals (RPFs) her organization that any outsourced solution has to keep data in Canada.

Reid wants to persuade Ottawa to be more open to cloud solutions where data is stored outside the country in part so his members get opportunities to bid on business, and in part, he said, because the government shouldn’t turn aside possible solutions that will make it more efficient.

Fraser noted that according to international law, U.S. law enforcement authorities have the right to subpoena data even if the data is held outside its borders, as long as there are connecting factors. (The same is true for police here, he added.)

For example, he said, if the data is held in Canada the U.S. could subpoena it through a person working for a company there.

For that reason, he said, a Canadian data centre owner might be able to safeguard data here if none of its executives ever crossed the border.

More practically, he said the Canadian government could take a number of steps to reduce the odds of the personal data of its citizens being misused by U.S. authorities.

The first is to encrypt the data – which should be a standard procedure anyway, he said ---- and make sure control of the encryption keys is held here.

Second, the government could decide that only “low risk” data can be sent out of the country.

Third, the government could demand certain contractual provisions with a service provider, such as clauses that says the data belongs to the customer, not the data centre, that the service provider won’t turn data over unless legally required to so, and that it will notify the customer of any subpoenas.

There could also be a requirement the provider to go a U.S. court to resist a subpoena, although Fraser admitted there’s no guarantee will be successful.

“There isn’t a shortage of ideas of how to mitigate risk,” he said.

Fraser didn’t say, but these risk mitigation options also apply to private sector companies who have been shy about adopting American cloud-based solutions.

Wednesday, December 12, 2012

Google offers model contract clauses for EU data protection compliance

Google has today announced that it is making Model Contract Clauses available to customers who have to deal with EU data protection rules.

Model contract clauses are one mechanism that permit an entity to export European personal information outside of the EU, which is in addition to safe harbor and binding corporate rules.

The announcement is found here: Official Google Enterprise Blog: Google Apps offers additional compliance options for EU data protection.