More companies in Canada are turning to the cloud — or, at least, thinking about it — for flexibility, agility and cost savings. But there is often the perception that using cloud-computing services could compromise corporate and customer data, or may even be against the law.
But there’s no law that prevents most Canadian businesses from exporting personal information, said David Fraser, partner with McInnis Cooper, president of the Canadian IT Law Association and chair of the National Privacy and Access Law Section of the Canadian Bar Association.
Private-sector privacy laws require that you ensure a comparable level of security for personal information, regardless of whether you permit it to be managed by a Canadian company or a non-Canadian company. And some highly regulated industries, such as banking, have special rules that may include additional regulation for outsourced services.
“The Patriot Act is the big thing that people freak out about,” he said, “but we have a Canadian version of the Patriot Act, which is just as offensive.”
Here’s the deal: In 2001, the U.S. Congress passed the USA Patriot Act, which expanded the powers of law enforcement and national security agencies to carry out investigations and obtain intelligence in connection with anti-terrorism investigations.
But the provisions that have attracted the most criticism, said Fraser, have equivalents under Canadian law. Regardless of where information resides, it will always be subject to lawful disclosure to law enforcement or national security bodies. In Canada, he said, this includes search warrants under the Criminal Code of Canada and the Canadian Security Intelligence Service Act. Many European countries also permit broader law enforcement and national security access to information than in both the U.S. and Canada.
Of course, where the data sits can have an impact on that data. If it’s in North Korea or China, it’s at high risk, said Fraser. In the U.S., it may in some cases be significant, but in most cases it won’t be. “How interested would the FBI be in getting their hands on that data and would they be able to justify getting a subpoena? In most cases no,” he said. “And if it’s a person of interest they can get it in Canada.”
Many people are surprised to learn there’s a secret court in the U.S. where judges hear applications made by Department of Justice lawyers for search warrants (and other such things) and there’s nobody on the other side to oppose those applications.
“We have a secret court in Canada,” said Fraser. “We have a bunker in Ottawa where judges hear lawyers from the Department of Justice and CSIS for warrants to do things as potentially offensive as break into your house and install wiretapping equipment. These orders can specifically provide for authorities to go back in and change the batteries. So people don’t often think that Canada is engaged in these types of cloak and dagger things, and we are. Our definition of anti-terrorism is as broad and offensive as the U.S.”
Canadian authorities have virtually identical powers under the
Canadian Security Intelligence Service Act, he said, which permits secret court orders that authorize CSIS to intercept communications or to obtain anything named in the warrant.
On top of that, Canada has a mutual legal assistance treaty with the U.S. (as well as informal agreements), so if the FBI wants data and it’s in the hands of a Canadian company, the FBI calls the RCMP or CSIS. “So when you dig into it, that cross-border issue, at least in most cases, really is not the large issue that many people are led to believe it is,” he said, adding that the Patriot Act has become shorthand for just saying no.
Only British Columbia and Nova Scotia have laws strictly regulating the export of personal information from Canada by public bodies, said Fraser. For all other jurisdictions, including the federal jurisdiction, export is permitted, but the public body must ensure a comparable level of security for personal information, regardless of whether it’s managed by a Canadian or non-Canadian company.
What businesses need to do is benchmark their existing privacy infrastructure and compare it to the privacy infrastructure of the proposed cloud provider. What are the real risks to the data, and to privacy and security? A lot of businesses have significant existing vulnerabilities — from insecure desktops, to playing catch-up with security patches, to mobile employees running around with laptops. Or thumb drives. “Nothing is more stupid or dangerous,” said Fraser. “In a cloud model if the computer is lost you lose nothing.”
Very often, this benchmark leans heavily in favour of the cloud provider that has squadrons of security people. Small businesses, in particular, are vulnerable to power outages and basic continuity issues. A reputable large-scale cloud provider will have multiple data centres, so things will stay up and running.
One of the biggest hurdles to widespread adoption of cloud computing is the data concern, said Robert Percival, a partner with Ogilvy Renault. Where is it, what laws govern it, and what obligations do you have under the law? You may have contractual issues with customers or suppliers, for example, or you may have legal statutory obligations, whether that’s under PIPEDA privacy legislation or some other applicable statute like health privacy legislation.
As a collector of information, a company is responsible under federal legislation or the provincial equivalent where it exists to make sure that when it outsources or provides a third-party service provider with personal information, that the appropriate security protection measures are in place to protect that information. If you’re looking to use the cloud, you’ve got to make sure that service provider has the security and infrastructure in place for you to live up to your expectations under the law. “From a due diligence perspective,” he said, “that can be challenging to do.”
Are they using capacity in China or India where the laws may be weaker or there are inherent risks just because of the nature of the jurisdiction or sensitivity of the information? The due diligence aspects of cloud computing and understanding your risks are an important first step, said Percival, and it’s not as easy as it sounds.
Another business concern is performance. What happens if that service isn’t available? “Cloud contracts are very skinny on commitment in terms of service levels,” he said. Instead, they become “efforts-based” and liability is limited.
“Right now I’m negotiating about 10 different cloud-type agreements on behalf of a large corporation and we expect to negotiate all these terms and conditions, but they’re paying millions of dollars,” he said. “Another one is much smaller, a couple thousand bucks a month — we’re going to try but I’m not optimistic we’re going to get very far.”
In order to provide that ubiquitous cost-effective cloud-computing environment you can turn on and off on-demand, what often gets sacrificed is the move to a one-size-fits-all contract, said Percival. There’s a real reluctance by cloud providers to negotiate because it becomes a cost impediment. They’re either unable or unwilling because of the dollar cost to stray from their template.
“Everything is ultimately negotiable, but if I’m trying to contact Google to negotiate the terms of my Gmail account, it’s not going to happen,” he said. “But if it’s the federal government or a large corporation, there’s an ability to negotiate, or they might at least have a chance.”
For the sake of efficiency, cloud computing service providers often impose standard term contracts that their clients are not at liberty to negotiate, but which may not properly address all relevant risks. And in a field with little (but growing) competition, businesses may lack the leverage to customize their contract to make it sufficiently comprehensive, said Véronique Wattiez Larose, a partner in McCarthy Tétrault’s Business Law Group, who negotiates such contracts.
“This is a model that’s meant to be more agile, more flexible, but don’t let that fool you from a legal standpoint,” she said. “It doesn’t mean you can forget about the legal provisions that protect you.”
For example, some regions, such as the European Union, have stringent rules concerning movement of certain types of data across borders. Unless they take certain steps, organizations are prohibited from transferring personal information to countries that do not provide the same level of protection with respect to personal information of EU residents (including the U.S.). In a cloud-computing context, it may be difficult to determine which countries data will be transferred to and from.
The biggest concern with cloud computing contracts is not how they address certain issues, but rather how they fail to address others. “Our concern as lawyers is that more often than not, up until now the cloud computing contracts that we see are incomplete in comparison to your standard long and thick outsourcing contract, which would be extremely detailed,” said Larose. “That’s not necessarily the case for cloud computing, where at the end of the day the concerns are quite similar.”
There’s a huge element of trust required, which is no different from a traditional outsourcing relationship, she said. “The biggest difference is you won’t necessarily be negotiating in the same room with the guy sitting across the table from you. Everything is done more remotely, so it’s hard to build that trust.”
Don’t take for granted that what a cloud service provider offers you will automatically address all of your concerns, she said, though that should be part of any normal due diligence process. If some of your concerns are not addressed, understand the risks and evaluate whether or not you still want to move forward.
Although the contract terms may seem commercially reasonable, you need to make sure that the cloud service provider is not turning a blind eye to something that may be material for your organization. If the geographical location of an organization’s data is likely to trigger export control issues, your contract should include prohibitions against extraterritorial storage.
And it’s important to understand how and in what format the data is stored, said Larose, and what tools are available to retrieve it should it be required for e-discovery purposes.
Find out from the get-go whether or not the cloud service provider has any ability to negotiate the contract. “The answer may be no, depending on the business application you’re outsourcing,” said Larose. “You obviously can’t negotiate your Gmail. But if it’s a huge contract and a key relationship for the provider, they’re likely to have more flexibility in making everybody happy.”
However, if you employ contract managers and have to negotiate contracts all the time, it can defeat the purpose of cloud and you won’t be able to achieve the economies of scale that cloud promises, she said.
But don’t say no to cloud right off the bat, and don’t base decisions on false information. Go through the exercise: See what’s there, what’s not, evaluate the consequences of any gaps, and make a business decision based on that — often, the benefits of flexibility, agility and cost savings will be well worth it.