Waning fear about the U.S. Patriot Act is helping drive Canadian businesses offshore in search of cloud-computing solutions.
When it passed following the Sept. 11, 2001, terror attacks, observers billed the Patriot Act as a transformational boost in the U.S. government’s seizure powers. As a result, the legislation has traditionally frightened off Canadian companies from storing personal information there. But that has changed, according to Robert Percival, co-chairman of Norton Rose Canada LLP’s technology and outsourcing teams.
“There has been a lot of fear and uncertainty around the Patriot Act, and in fact, I think a lot of misunderstanding around it,” says Percival.
“If I’m a Canadian business, the Patriot Act really shouldn’t be a barrier other than perhaps having to provide notice to my customers that data is located outside the country. It’s really not an issue that’s unique to U.S. organizations. There are Canadian statutes in place that have a similar impact in enabling the authorities to require disclosure in anti-terror type cases and a number of bilateral agreements between the U.S. and Canada that allow security organizations to exchange personal information.”
Last year, a special investigation by the Office of the Information and Privacy Commissioner into the licensing automation system at the province’s Ministry of Natural Resources helped lay to rest some of the myths about the Patriot Act following a complaint from an MPP about the storage of personal information south of the border.
In her report, commissioner Ann Cavoukian emphasized that Ontario has no legislative prohibition on the storage of personal information outside Canada and endorsed a finding by her federal counterpart that “the privacy protection afforded by a U.S. service provider is comparable to that of a Canadian-based provider.”
“The Patriot Act has invoked unprecedented levels of apprehension and consternation. . . . The feared powers were available to law enforcement long before the passage of the Patriot Act through a variety of other legal instruments. In my view, these fears are largely overblown, and focusing on them unduly constitutes a pointless exercise,” wrote Cavoukian.
“The critical question for institutions which have outsourced their operations across provincial or international borders is whether they have taken reasonable steps to protect the privacy and security of the records in their custody and control. I have always taken the position that you can outsource services, but you cannot outsource accountability.”
Wherever data ends up stored, Pat Flaherty, a partner in the privacy practice group at Torys LLP in Toronto, says it’s vital to work out which country’s laws will apply as part of a cloud computing relationship. “What’s new and unique with the cloud is that it is truly transnational in nature. Cloud providers often have multiple layers of parties involved in the delivery of their service, and there isn’t always full transparency about who is doing what to who and where,” he says.
“Providers are typically looking for the lowest cost, so lots of subcontracting is done to low-cost jurisdictions. You have to think about how you meet your transparency and disclosure obligations to your own customers when you may not even know who’s processing your data.”
Percival says businesses should perform the same sorts of checks on a cloud provider as they would with any other outsourcer in a more traditional line of business.
“By putting data in the cloud . . . you’re effectively giving up a degree of control over it. You are no longer the custodian,” he says, adding that the depth of the investigation depends on the nature of the data. “In a low-risk scenario where you’re storing a bunch of non-proprietary data that maybe doesn’t matter that much, it may be that you care less about security or where it is. If it is material to your business, you have a different set of considerations to think about. How are they backing it up and securing it against intrusion, loss, and viruses? Not only what’s being done to protect it but how you can verify it?”
Percival says one way to achieve a level of certainty about issues such as legal jurisdiction and performance levels is to include provisions for them in the service contract. But in an industry that leans strongly towards standard-form contracts, that can be problematic, he says.
“These long contracts have the illusion of commitments around service levels, but when you look hard at it, there’s not much meat there. You can’t take a great deal of comfort that the cloud contractor is going to be on the hook for failing to deliver. I think often there are a lot of unrealistic expectations on the contractual side about what you’re getting. Most private providers are built on a model where there’s not a lot of intent to negotiate custom arrangements.”
Flaherty says tailoring is possible but notes it could prove expensive and cut into the savings businesses hope to achieve by using the service in the first place.
“Unless you’re a real volume cloud buyer, it’s hard to negotiate the standard forms and conditions which typically minimize the risk of providers,” he says.