Page 35 - CCCA Magazine Spring 2014
P. 35
{ FEATURE } hen contemplating a cloud computing solution, use Q Does keeping data in Canada keep it away from American your existing information system — warts and all — as law enforcement and national security agencies? Wthe baseline from which you measure any potential deci- sions. As objectively as possible, you need to consider the secu- A In short, no. Canada, the United States and most Western rity and privacy risks inherent in your corporate infrastructure. democracies engage in a very high level of cooperation that includes mutual legal assistance treaties and ad hoc informa- tion sharing. In the area of “signals intelligence”, Canada is a Q Is it illegal for a Canadian business to outsource services member of the “Five Eyes” program, under which Commu- such as cloud computing to a non-Canadian company? nications Surveillance Establishment Canada cooperates with the American National Security Agency, and their counter- A No. There is no law preventing most Canadian businesses parts in the U.K., New Zealand and Australia. Most Canadian from “exporting” personal information. Private-sector privacy privacy laws actually permit this sort of information sharing laws require you to ensure a level of security for personal infor- under treaties or informal arrangements. mation comparable to that provided in Canada, regardless of whether you permit a Canadian or non-Canadian company to Q If we go with a cloud solution, should we give notify our manage it. However, some highly regulated industries, such as customers/users? banking, have special rules which may include additional regu- lation for outsourced services. A Under most Canadian laws, you technically do not need to seek consumer consent or provide notice. However, the Privacy Commissioner of Canada’s position is that businesses propos- Q Is it illegal for a Canadian public sector or government body to outsource services such as cloud computing to a non- ing to have personal information processed outside of Canada Canadian company? should give customers notice. This is not required under the federal Personal Information Protection and Electronic Docu- A It depends on the jurisdiction of the public sector or gov- ments Act (PIPEDA), but probably represents a best practice. ernment body. British Columbia and Nova Scotia are the only Under the Alberta and Quebec private-sector privacy laws, you jurisdictions with laws strictly regulating the export of personal are required to give your customers notice. information from Canada by public bodies. For all other juris- dictions, including the federal jurisdiction, public sector bodies Q What are the legal security requirements for Canadian are permitted to export personal information, but must ensure companies considering cloud computing? a level of security comparable to that in Canada, regardless of whether a Canadian or non-Canadian company manages it. Al- A Canadian legislation is silent about the particular secu- berta legislation makes it an offense for a public body or service rity practices you should adopt when using cloud computing. PIPEDA, for example, only says that safeguards commensu- provider to disclose personal information in response to an or- der with no jurisdiction in Alberta. rate with the sensitivity of the information must be adopted: the more sensitive the information, the greater the precau- tions that should be taken. The general prevailing view is that Q Is information better protected from law enforcement and national security access in Canada than in the United States? you should insist on at least the industry best practices for the sort of data at issue. A Not necessarily. The provisions of the USA Patriot Act that The original organization remains legally responsible for have attracted the most criticism have equivalents under Cana- safeguarding personal information even if it is outsourced. It dian law. Regardless of where information resides, it will always is up to the organization to make sure that any service provider be subject to lawful disclosure to law enforcement or national implements adequate protections. security bodies. In Canada, this includes search warrants under You must be mindful of any additional risks cloud comput- the Criminal Code of Canada and the Canadian Security Intel- ing introduces. This is principally related to data being in tran- ligence Service Act, and administrative subpoenas such as those sit over the open Internet. You can generally mitigate these risks issued under the Income Tax Act. Many European countries by using SSL, VPN or other encryption technologies to make permit broader law enforcement and national security access the information secure in transit. Provided you use a reputable to information than either the United States or Canada permit. provider, information is often safer when in the custody of a CANADIAN CORPORATE COUNSEL ASSOCIATION | CCCA-ACCJE.ORG 35
   30   31   32   33   34   35   36   37   38   39   40