Data access and privacy are often considered key concerns for Canadians enterprises looking at cloud computing to improve operations by having business data hosted by a third party. This is particularly true in the face of a rising trend of stricter data compliance controls and measures in the face of global data privacy and surveillance news.
Cogeco Peer 1’s Ben Young is responsible for the firm’s day-to-day legal activities — including abuse-monitoring and legal compliance, privacy, risk management, and contract management.
Young spoke with IT World Canada’s security-focused publication CSO Digital to discuss the data sovereignty issues, trends, and challenges for Canada.
What are the data sovereignty challenges?
This is a constantly evolving subject. To a certain extent, there are a lot of options out there now that weren’t necessarily there five years ago. Companies are getting much more sophisticated on the vendor and the customer side about both privacy and security issues. And the terms privacy and security should be segregated — they are not the same thing. When we are talking about surveillance, we are talking about a privacy world. But security is something that has really evolved — companies are both asking more questions and demanding more of their service providers. But they are also hiring internal IT experts that can take the security aspects of the solution into their own hands. It’s a challenge for Canadian companies and organizations that are actually concerned about keeping their underlying data in Canada. We see it all the time: it’s dictated by having government clients (for example) or clients who want to avoid U.S. jurisdiction.
What are the practical challenges?
There are not a lot of providers out there that can and will guarantee data sovereignty. The challenge is actually around trying to keep underlying data physically stored within the Canadian border. And taken one step further, transport and transit services provided natively in Canada is very challenging for companies to guarantee, mostly because of the international presence they have. Often, Canadian companies have a heavy U.S. focus, particularly companies with subsidiaries or affiliates in the States, and the physical transport of the services may rely of third parties who may route it through the U.S., or they may have support staff located abroad. One way to address that is to ask questions: try to incorporate, as much as you can, the company’s stated position in the provider contract. Companies should know what the risks are and should be asking those questions. One other data sovereignty challenge is the Canadian government’s response to privacy and security in general in Canada. Last year, we saw it significantly weakened by the outgoing Conservative government. We saw Bill C-51 weaken the overall principled stance the Canadian government had historically taken on privacy.
Why should the Canadian IT sector be at the forefront in the efforts to push for reform around government surveillance?
I would argue that everyone should be on the forefront of these efforts and should be political about this. For Canada in particular, the public outcry over Bill C-51 was important. I think even for the Liberal government — who voted for the bill going into the election season — they had an odd position to support the bill and then reform it once they got elected. I think we need to keep the pressure on for the new government to address these issues in a way that the public clearly wants to be addressed. We’ve seen people take to the streets on this; this is a step in the right direction and I think the Canadian IT sector lends a lot of credibility to these types of issues. But we need to keep the pressure on — the government has responded to this historically, and I think will do so again.
How do Canadian data residency and sovereignty laws compare to other nations? Is this improving?
Canada has traditionally been viewed as having the strongest privacy laws in the world. Especially when it comes to the collection and dissemination of personal information of its citizens. At least in the terms of public perception, the Canadian government has even used its strong privacy protections as a point of pride and even differentiation. You’re hearing a lot in the news about the EU data directive and U.S. Safe Harbour agreement that the Department of Commerce has had in place for years. It’s important to remember that the reason why Canada was not affected by that was that Canada was one of the countries deemed to have privacy protections in place that were at least as strong as what was in place in the EU. This has allowed businesses and other entities to transfer personal information on EU citizens to Canada without having another agreement in place. That is a testament to the strong laws Canada has had in place with respect to the privacy of its citizens.
What security best practices do you recommend for organizations looking at a cloud-based platform solution?
There’s a new breed of Internet user — this applies to IT organizations — and the market has really responded to this with a host of products, and even revisions to existing products like hosting and colocation services that are really focused on the security aspect. That’s what is demanded of companies these days; this is generally a good thing but it also puts a huge burden on organizations to review and select products that might be right for them. The corresponding trend is that you are seeing organizations hiring professional partners that really understand this and aren’t just reacting to Snowden or the big data breach of the day. These partners really understand what’s right for them. In terms of what practices to recommend, my biggest point is that while it is important to trust your service provider — asking them questions, holding them accountable, and forcing them to publicly disclose what their practices are — it’s misplaced to let this be a substitute for an organization’s own judgment about how to handle security of the data. Organizations need to adopt these security best practices on their own.
Should organizations be solely looking at solutions that ensure private data is stored on local servers?
There really isn’t one-size-fits-all solution for this. I tend to give a very hedging answer on this, but a lot of businesses and people have specialized concerns about their data. Organizations need to be asking and understanding the underlying threats to the data: is the company even concerned about surveillance tactics? They may not be, and that’s fine. While I obviously take a pro-privacy stance, cost and convenience are certainly valid factors and should be weighed in an IT or organizational budget against the actual or perceived threats to the company’s business model and underlying data.
This interview has been condensed and edited. This article first appeared in the May 2016 issue of CSO Digital
