What happens to data being stored in Canada and whether it can be accessed by foreign law enforcement agencies is a question Canadian courts are currently grappling with.
Two decisions — one in Ontario, the other in British Columbia — have determined that information held in servers in Canada can’t be shielded for review by American investigators. But the Ontario Court of Appeal has decided to re-examine one of those cases.
“These are important issues not only for this case, but for future cases as well, in which no doubt many issues will arise out of the seizure of digitally stored information and data, not only regarding jurisdiction, but also the mechanics of safeguarding the privacy and security of such information and data,” wrote Justice Kathryn N. Feldman in granting appeal in United States of America v. Equinix Inc. in February.
Scott Hutchison, who represented Equinix and Megaupload in the Ontario Superior Court of Justice, says legislation to address these specific concerns is necessary; until then, however, the direction will be left to the courts to forge.
Hutchison, who has a litigation practice with Henein Hutchison LLP in Toronto where he focuses on regulatory and administrative law, says the issue has become increasingly significant over the past five years with the explosion of cloud storage use for digital information.
“The problem, of course, is data doesn’t respect borders, but the way we’ve organized our societies, government, and law is border-driven,” he says.
“The concern is that not all countries have the same appreciation of privacy, not all countries respect the notion that the individual has the right to control what is disseminated to the state, and not all countries use information the way we would consider appropriate.”
Equinix and United States of America v. Bin involve massive amounts of data being sought by officials in the United States.
In Bin, the RCMP seized digital devices and media that exceeded 300,000 pages from Vancouver businessman Su Bin under the Mutual Legal Assistance in Criminal Matters Act.
The act accommodates mutual legal assistance in criminal matters between Canada and other countries.
U.S. authorities accused Bin of hacking into U.S. computers to steal sensitive technical information about the F-35 and F-22 military aircraft by conspiring with two members of the Chinese military. And they sought his extradition to the U.S.
But much of the material they expected was correspondence between Bin and the Chinese men was in simplified Chinese characters, which the RCMP did not have the resources to translate.
That restricted its ability to fulfil its obligation under the act to help the U.S authorities by reviewing the material that had been seized and preparing a report before a judge could issue a sending order.
The British Columbia Attorney General successfully requested that the British Columbia Supreme Court permit an FBI “clean team” to help with the translation of the documents. Bin’s lawyer argued that once that information was transferred to the U.S., the Canadian courts would lose control over how that information was used.
In Equinix, the Attorney General of Canada applied for an order to allow a team of American investigators to examine 32 computer servers seized in Canada and asked that the American team create the report to outline the data stored on the servers.
In that case, Justice Michael Quigley found that at the core of the application was balancing the privacy rights of Canadians with Canada’s international obligations.
He allowed the American investigators to examine the servers as long as they submitted a copy to him prior to applying for a sending order of the data.
Maanit Zemel, a litigator who focuses on Internet issues through her boutique firm MTZ Law, says the recent decisions show that if it’s in the cloud, there is always a possibility that digital data could be accessed by authorities here or elsewhere.
“It is an indication that it does not necessarily matter where you store your information, the law has a long reach, and yes, you are still entitled to constitutional protections.
But the fact that the information is located in the cloud does not, in and of itself, safeguard you from having to produce that information to law enforcement agencies,” says Zemel.
The situation is complicated by the rapid pace of technology.
Every time the law catches up with technology, technology continues to advance. So it’s a constantly moving target.
The idea behind cloud technology is that it’s supposed to be everywhere and nowhere all at once, adds Kirsten Thompson, lead of the cybersecurity, privacy, and data protection group at McCarthy Tétrault LLP.
But the servers that allow information to go onto the cloud do reside in geographical locations. And in response to demand, service providers have started to develop servers in Canada so the information can reside here.
“This means that companies are now checker-boarding the world with servers, trying to keep ahead of the legislation and law enforcement. And as laws change, then you may have to shift your data over somewhere else,” she says.