The Canadian Corporate Counsel Association Magazine (CCCA Magazine) Spring 2014 edition had a strong focus on privacy, "Managing your Privacy Risk: An In-house Guide." The edition included a version of my Cloud Computing and Privacy FAQ, focused at in-house counsel. Click the image (or here) to get the full article:
For those who have been following this topic in Canada, you'll remember that the first time that the USA Patriot Act appeared on the country's radar in earnest was when the British Columbia government proposed to outsource IT processing to the Canadian subsidiary of a US company. The union, most likely concerned about job losses latched onto the USA Patriot Act as the hook that would get some traction in the media and in the public mind.
That led to the inquiry by BC's Information and Privacy Commissioner, then amendments to that province's Freedom of Information and Protection of Privacy Act and then Nova Scotia's Personal Information International Disclosure Protection Act.
Now, somewhat predictably, the principal Nova Scotia trade union for public employees is resurrecting the boogeyman to try to stop outsourcing of IT services by the provincial government. We'll see how this plays out ...
Data at risk in private-sector deal | The Chronicle HeraldUnion worried Nova Scotian’s records vulnerable
The province’s largest public-sector union is worried about the security of Nova Scotians’ information if the government contracts out information technology work in a deal workers say could total $100 million over 10 years.
Joan Jessome, president of the Nova Scotia Government and General Employees Union, said Thursday that there’s a vast amount and array of data in the SAP computer system. She said it includes everything from payroll numbers to procurement information and data from the Registry of Motor Vehicles.
“There probably isn’t a single Nova Scotian ... that has not been impacted by SAP,” Jessome said.
“(Our members) are telling us that we have reason, no matter what the agreement is, that once that (information) goes to an international company, we should always be concerned about how far that goes and what acts does it cover in different countries across the world.”
She said employees mentioned the Patriot Act in the United States, passed after the 9-11 attacks. It requires U.S. companies to provide records to the American government upon demand.
A 2005 provincial auditor general’s report raised a concern that U.S. companies with Canadian subsidiaries could also be compelled to turn over information. In 2006, the minority Tory government of the day passed the Personal Information International Disclosure Protection Act, meant to prevent U.S. authorities from inappropriately accessing Nova Scotians’ information under the Patriot Act.
Finance Department spokeswoman Michelle Lucas had said Wednesday that ensuring information is secure would be a top priority. She had no further comment on the potential outsourcing Thursday.
On Monday, government officials met with employees who run the system to tell them about the possibility their jobs will be contracted out. There are about 73 unionized workers, and another 35 who aren’t unionized. The non-union workers run the system for district health authorities and the IWK Health Centre.
Jessome said workers told her that the government is considering a 10-year contract for the work, worth $10 million a year.
Lucas had said Wednesday that a multinational firm approached the province last year about setting up a “global delivery centre” in the province. Its main office would be in Halifax, with a smaller one in Sydney.
Sources have said the firm is IBM Canada. Jessome said the government has told her which company, but she agreed to keep it confidential.
IBM Canada spokeswoman Carrie Bendsza said the company, which has employees in Halifax now, doesn’t comment on rumour or speculation. She also said it doesn’t reveal how many employees it has in individual cities or countries.
Jessome said there are currently eight union SAP information technology workers in Sydney, three in Truro, and the rest in Halifax.
Lucas has said that if the province does make a deal with the company, all affected provincial employees would be offered a job. Jessome said many have already indicated they wouldn’t take it.
She said they’d lose the security of being in the union, the work week would likely go up to 40 hours from 35, their pension plan would change to defined contribution from defined benefit, and they could face months-long placements at the company’s other locations, such as China and India.
“They’re certainly concerned about their jobs, no question, but the other thing that they were scared of is the security of information,” Jessome said.
Lucas also said the potential contracting out isn’t being considered as a cost-cutting measure, but as an economic development opportunity in the hope of creating more jobs.
The province has spent many millions on the SAP system since first adopting it in 1996, with some projects going over budget, and the system not always working properly.
This decision from the Information and Privacy Commissioner of Ontario snuck under my radar this summer while I was on vacation.
This investigation is the result of a complaint brought by a Member of the Provincial Parliament about the Ontario Government's decision to outsource the processing and management of fishing and hunting licenses to a US-based business. The Commissioner did a thorough investigation and I am told they were pleasantly surprised by what they found. With regard to the USA Patriot Act, the Commissioner wrote:
The PATRIOT Act
The complainant has expressed concerns that the personal information of Ontarians will be subject to and accessible under American laws, including the PATRIOT Act. It is important to remember that, in Ontario, there is no legislative prohibition against the storing of personal information outside of the province or Canada. In other words, Ontario law, including the Act, does not speak to this issue. However, the Act and its regulations do require provincial institutions to ensure that reasonable measures are in place to protect the privacy and security of their records containing personal information. This applies regardless of where the records are located. Further, Ontario provincial institutions remain accountable for the actions of their agents or service providers, whether located in Ontario or in other jurisdictions.
I understand the complainant’s concern that the PATRIOT Act may be used by U.S. law enforcement agencies to access Ontarians’ personal information. However, the risk that law enforcement agencies may access personal information is not restricted to information held in the U.S. In fact, Canadian law enforcement agencies have similarly robust legal powers to obtain personal information held in Canada, and similar powers exist throughout most countries in the world. Further, law enforcement agencies in Canada, the U.S. and other countries have the ability to reach across borders to access personal information under various laws and agreements.
In this regard, the federal Privacy Commissioner of Canada has found that the privacy risks posed by the PATRIOT Act are similar to those found in Canada and, therefore, the privacy protection afforded by a U.S. service provider is comparable to that of a Canadian-based provider. In particular, the federal Privacy Commissioner has stated:
The risk of personal information being disclosed to government authorities is not a risk unique to U.S. organizations. In the national security and anti-terrorism context, Canadian organizations are subject to similar types of orders to disclose personal information held in Canada to Canadian authorities.
The federal Privacy Commissioner has also found that prior to the passing of the PATRIOT Act, U.S. authorities were able to access records held by U.S.-based firms relating to foreign intelligence gathering in a number of ways, including through formal bilateral agreements.3
Canadian legal scholars and practitioners have also carefully examined and commented on the privacy implications of the PATRIOT Act. Professor Michael Geist, Canada Research Chair in Internet and E-commerce Law, has written:
Claims that the enactment of the USA Patriot Act has dramatically altered the legal landscape are simply false. The U.S. law enforcement toolkit, which allows for the compelled, secret disclosure of personal information, pre-dates the USA Patriot Act by decades. Suggestions that the problem can be solved by keeping personal information from flowing outside the country are not realistic from a real-world, commercial perspective, where data is transferred and stored instantly on computer servers in other jurisdictions without regard for location.
David T.S. Fraser, a prominent Canadian privacy lawyer, has also been very clear in writing:
Most people are surprised to learn that some of the most “problematic” provisions of the USA Patriot Act are replicated in Canadian law in the Anti-Terrorism Act. We just don’t hear about it as much. People are also surprised to learn of huge amount of information sharing that takes place between agencies in Canada and their counterparts in the US.
The Act does not prohibit provincial institutions from outsourcing services on the basis that foreign law, including the PATRIOT Act, may apply. Similarly, there is no prohibition on the storage of personal information by government institutions outside the province. In fact, as noted by Professor Geist, outsourcing of technology services is a reality, whether by government agencies or private sector companies. Personal information may be subject to disclosure to law enforcement authorities, whether stored in the province or elsewhere. The critical question for institutions which have outsourced their operations across provincial or international borders is whether they have taken reasonable steps to protect the privacy and security of the records in their custody and control. I have always taken the position that you can outsource services, but you cannot outsource accountability. With this in mind, I now turn to consider what measures the Ministry has put into place in the circumstances of this complaint.
The decision is worth reading in its entirety: IPC - Office of the Information and Privacy Commissioner/Ontario | Reviewing the Licensing Automation System of the Ministry of Natural Resources: A Special Investigation Report [PC12-39].
Today I participated in a webinar with Sheepdog Inc. and Google on Privacy and Security in the cloud. Below is my presentation, in case it's of interest:
Yesterday, IT World Canada published a very lengthy article on the manifold legal issues that need to be considered when a company moves its data to the cloud, including a lengthy interview with me given a little while ago.
Here's the first part ...
Canadian cloud contracts: Liabilities and limitations - Page 1 - Leadership
More companies in Canada are turning to the cloud — or, at least, thinking about it — for flexibility, agility and cost savings. But there is often the perception that using cloud-computing services could compromise corporate and customer data, or may even be against the law.
But there’s no law that prevents most Canadian businesses from exporting personal information, said David Fraser, partner with McInnis Cooper, president of the Canadian IT Law Association and chair of the National Privacy and Access Law Section of the Canadian Bar Association.
“Once you move into a real cloud computing model, all of a sudden you don’t know where your data is — where in Canada or where in the world — and we’ve seen a big privacy-related backlash against cloud computing,” he said. So a large part of his job is telling people they’re wrong, since there’s a huge amount of misinformation out there.
Private-sector privacy laws require that you ensure a comparable level of security for personal information, regardless of whether you permit it to be managed by a Canadian company or a non-Canadian company. And some highly regulated industries, such as banking, have special rules that may include additional regulation for outsourced services.
“The Patriot Act is the big thing that people freak out about,” he said, “but we have a Canadian version of the Patriot Act, which is just as offensive.”
Here’s the deal: In 2001, the U.S. Congress passed the USA Patriot Act, which expanded the powers of law enforcement and national security agencies to carry out investigations and obtain intelligence in connection with anti-terrorism investigations.
But the provisions that have attracted the most criticism, said Fraser, have equivalents under Canadian law. Regardless of where information resides, it will always be subject to lawful disclosure to law enforcement or national security bodies. In Canada, he said, this includes search warrants under the Criminal Code of Canada and the Canadian Security Intelligence Service Act. Many European countries also permit broader law enforcement and national security access to information than in both the U.S. and Canada.
Of course, where the data sits can have an impact on that data. If it’s in North Korea or China, it’s at high risk, said Fraser. In the U.S., it may in some cases be significant, but in most cases it won’t be. “How interested would the FBI be in getting their hands on that data and would they be able to justify getting a subpoena? In most cases no,” he said. “And if it’s a person of interest they can get it in Canada.”
Many people are surprised to learn there’s a secret court in the U.S. where judges hear applications made by Department of Justice lawyers for search warrants (and other such things) and there’s nobody on the other side to oppose those applications.
“We have a secret court in Canada,” said Fraser. “We have a bunker in Ottawa where judges hear lawyers from the Department of Justice and CSIS for warrants to do things as potentially offensive as break into your house and install wiretapping equipment. These orders can specifically provide for authorities to go back in and change the batteries. So people don’t often think that Canada is engaged in these types of cloak and dagger things, and we are. Our definition of anti-terrorism is as broad and offensive as the U.S.”
Canadian authorities have virtually identical powers under the Canadian Security Intelligence Service Act, he said, which permits secret court orders that authorize CSIS to intercept communications or to obtain anything named in the warrant.
On top of that, Canada has a mutual legal assistance treaty with the U.S. (as well as informal agreements), so if the FBI wants data and it’s in the hands of a Canadian company, the FBI calls the RCMP or CSIS. “So when you dig into it, that cross-border issue, at least in most cases, really is not the large issue that many people are led to believe it is,” he said, adding that the Patriot Act has become shorthand for just saying no.
Only British Columbia and Nova Scotia have laws strictly regulating the export of personal information from Canada by public bodies, said Fraser. For all other jurisdictions, including the federal jurisdiction, export is permitted, but the public body must ensure a comparable level of security for personal information, regardless of whether it’s managed by a Canadian or non-Canadian company.
What businesses need to do is benchmark their existing privacy infrastructure and compare it to the privacy infrastructure of the proposed cloud provider. What are the real risks to the data, and to privacy and security? A lot of businesses have significant existing vulnerabilities — from insecure desktops, to playing catch-up with security patches, to mobile employees running around with laptops. Or thumb drives. “Nothing is more stupid or dangerous,” said Fraser. “In a cloud model if the computer is lost you lose nothing.”
Very often, this benchmark leans heavily in favour of the cloud provider that has squadrons of security people. Small businesses, in particular, are vulnerable to power outages and basic continuity issues. A reputable large-scale cloud provider will have multiple data centres, so things will stay up and running.
On May 26, 2011, I had the pleasure of speaking at the University of Windsor's annual Campus Technology Day. Windsor has just recently made the decision to "Go Google" for student e-mail services.
My topic was cloud computing and privacy (with a little bit on copyright thrown in for good measure). Here is the presentation:
There were many active tweeters using #uwctd, in case you're looking for play-by-play commentary.
Over the last few months, Dalhousie University has been looking much more closely to the possibility of replacing much of its expensive infrastructure with an outsourced cloud service. I was part of the conversation with my presentation (large mov file) on campus on Data Privacy Day and the conversation has been continuing. It has been very interesting to look at three recent articles on Dal News, including a two-part interview with Dwight Fischer, the University's CIO, and particularly the comments by students and other stakeholders on those articles. Check them out:
If you are a member of the University community (have a dal.ca login), you can join the conversation here: https://blogs.dal.ca/connectedU/.
Dan Michaluk has a great summary of a recent and important access to information case from Ottawa, City of Ottawa v. Ontario (Information and Privacy Commissioner) (13 December 2010, Ont Div. Ct.): Case Report – Personal e-mails not subject to FOI legislation « All About Information.
I think this is probably one of the most important access decisions of the past year. It's similar to Johnson v Bell Canada, but seems to go even further. It will have a big impact in universities, where professors have generally been wrangling for exclusion of their e-mail from access legislation.
Most importantly, I think: This case may also have an impact on cloud computing for universities and USA Patriot Act-blocking statutes, because these statutes only apply to information under the "custody or control" of the public body. This case can be interpreted to support the proposition that student e-mail, at least, is not under the custody or control of the public body for the purposes of such statutes.
Update (30 December 2010): Canadian Privacy Law Blog: Ontario Commissioner to appeal personal email decision.
Today, I had the great pleasure of being one of the speakers at Ryerson University's broad consultation on the possibility of adopting cloud computing at the university. It was an incredibly high-quality event with a packed auditorium (in the middle of reading week, no less) and a very engaged audience.
The agenda is here: E-mail and Collaboration Tools Consultation | Email & Collaboration Tools Consultation.
My presentation is here:
If you can't see the embedded presentation, try this link: https://docs.google.com/present/view?id=ddpx56cg_415c4c8k5g5&interval=60
The full symposium was webcast live and will be available here:
If you want to see the many, many tweets which were sent out, search Twitter for #ryeprivacy.
UPDATE: Over at Slaw.ca, Dan Michaluk, who was at the symposium, has posted a few of his observations on the day: Commissioner Cavoukian says the Patriot Act is nothing.
This is great news, both for e-mail users and for greater adoption of cloud computing. Contrary to Department of Justice lawyers (and too many precedents on their side), the US Court of Appeals for the Sixth Circuit has found that stored e-mails can't be accessed by law enforcement without a valid warrant.
The court struck down portions of the Stored Communications Act, which had permitted law enforcement to get their hands on e-mails over 180 days old with only a subpoena.
This may have big implications for cloud computing. One of the problems with US law on this is that the Fourth Amendment has been interpreted to say it doesn't protect the privacy of information held by a third party. So if you hand info over to someone like a bank, a cloud provider, an e-mail provider, etc. the protection is very different than if you have it in your personal possession. Finally the courts may be seeing that handing over data to service providers is the modern reality and privacy protections should keep up.
This is a victory for The Digital Due Process Coalition and its supporters in the United States who are advocating for bringing due process into line with modern technology.
Check out some interesting commentary:
And the decision is here: http://www.ca6.uscourts.gov/opinions.pdf/10a0377p-06.pdf.
This past week, I was invited to speak at the annual get-together of The Canadian University Council of CIOs (CUCCIO) in Toronto on the topic of cloud computing. Many universities in Canada are struggling with the legal and privacy issues of adopting cloud computing, particularly when Google and Microsoft are both offering very attractive (and free!) offerings that would relieve universities of the costs and burdens of administering student and alumni e-mail.
Universities in Alberta, British Columbia and Nova Scotia are particularly hampered by legislation that was designed to thwart the boogeyman represented by the USA Patriot Act.
BC and Nova Scotia have each adopted legislation that either categorically prohibits the "export" of personal information by public bodies, or put in place administrative hurdles. Alberta joins this pack by making it an offense under their public sector privacy law to disclose personal information in response to a "foreign demand for disclosure".
Part of the problem is that the legal framework is not particularly nuanced, as each decision about whether to outsource a service should be guided by a detailed risk assessment and privacy impact assessment instead of ham-fisted categorical rules that don't take particular circumstances into account.
Here is my presentation, which was well received.
If the embedded slideshow isn't showing you the love, click here: https://docs.google.com/present/view?id=ddpx56cg_320fx7rkbhh&interval=30
The Privacy Commissioner of Canada has released her draft report on her 2010 Consumer Privacy Consultations that focused on "Online Tracking, Profiling and Targeting and Cloud Computing." You can get to the report here: http://www.priv.gc.ca/resource/consultations/index_e.cfm.
The Privacy Commissioner of Canada has released her draft report on her 2010 Consumer Privacy Consultations that focused on "Online Tracking, Profiling and Targeting and Cloud Computing." You can get to the report here: http://www.priv.gc.ca/resource/consultations/index_e.cfm.
Ontario Commissioner, Anne Cavoukian, has released a new paper on privacy and cloud computing. Here's a summary:
Modelling Cloud Computing Architecture Without Compromising Privacy: A Privacy by Design ApproachAs the Internet has evolved, we have seen the emergence of “Cloud computing.” Organizations have begun to leverage the connectivity created by the Internet to optimize the utility of computing. Ever-cheaper and more powerful processing and storage capabilities are allowing data centres to act as viable, large scale central computing hubs. Simultaneously, increasing network bandwidth and reliable yet flexible network connections make it possible for clients – both individual and enterprise – to utilize high quality services which reside solely on these remote central hubs. These services will often include data storage (and real time access) or processing (by remote software and computing resources). This possibility, however, forces clients to re-think the data protection schemes developed for the point-A-to-point-B data flow.
This past week, the United States Senate Judiciary Committee held hearings on the possible update of the American Electronic Communications Privacy Act. The statute, passed in the 1980s, is in urgent need of an overhaul in an age of cloud computing. The law has its origin in (in my view, perverse) caselaw that says you have no expectation of privacy from the government once you've handed your information over to a third party. The law provides different standards (subpoena vs search warrant) based on the age of the message and whether it has been previously read by the intended recipient. In an age of cloud computing and the widespread use of text messaging, one high standard is required.
From the industry side, the effort for reform is led by the Digital Due Process Coalition, made up of industry leaders such as Google and Microsoft. For a great overview of the issue and the hearings, see here: Senate considers update to Electronic Communications Privacy Act | Gov 2.0. The Google Public Policy blog has information on Google's position, including the written statement by Richard Salgado, their senior lawyer responsible for this area: Digital Due Process: The Time is Now.
The Judiciary Committee page has a webcast link if you want to see the hearing.
Below is my slide deck that I presented at the Privacy Commissioner's public consultation on cloud computing in Calgary on June 21, 2010.
Let me know in the comments or by e-mail if you have any problems with the slides.
I've been honoured to be invited as one of the keynote speakers at the Privacy Commissioner's consumer consultations taking place in Calgary on Monday. I'm speaking on the topic of Cloud Computing. The full agenda is here.
The proceedings will be webcast: http://welcome2theshow.com.previewyoursite.com/priv2010/index_calgary.html, starting at 9:00 Mountain time. I think you'll be able to watch it later from the same address if you miss it the first time. Or you can watch it over and over again.
The roster of speakers is very impressive, including:
