Biggest Threat to Cloud Computing in Canada — The Patriot Act

Cloud Computing is the boardroom buzzword of the year for 2011. With promises of flexibility, scalability, ease of management and cost reduction it’s an attractive proposition for any company looking to solve complex inter-related IT issues. If your technology is out-dated and you can’t afford to replace it; use the Cloud as there are no, or limited, initial costs. If your people need to be re-trained; use the Cloud as a method of outsourcing without saying the word — we’re not “outsourcing”, we’re leveraging the Cloud. If your processes need defining and re-shaping; move to the Cloud where somebody has already done the hard work.

Win, win, win everywhere — music to the ears of the C-level executives.

However, there’s an emerging problem with the Cloud which is the US Patriot Act. This legislation was a knee-jerk reaction to the tragic events of 9/11. While it mostly dealt with terrorism there were some provisions surrounding data that have been slowly abused since. Namely, all data that is held by US organizations can be interrogated by the US Government with limited oversight. While the legitimacy of some of these requests are only just working through the judiciary it will be some time before legal precedent has clarified the situation.

In the meantime, most Canadian organizations avoid the storage of Canadian data south of the border. This isn’t because we don’t trust the Americans; we just have our own legislative requirements that say we’re obligated to protect the personal information of Canadians. We can’t comply with Canadian requirements if our data is subject to the all-seeing power of the Patriot Act. Many US companies found a way of assuaging these fears by setting up local companies, i.e. IBM Canada or Microsoft Canada.

However, this summer new (ab)uses of the Patriot Act have come to light from Europe. Both Google and Microsoft have admitted that they’ve provided data to the US Government from their European data centres. The provisions of the Patriot Act allow data to be requested from any company operating in the US or that is headquartered in the US, undermining the efficacy of the EC directives protecting data. The Patriot Act also allows any data request to be treated confidentially barring the companies from disclosing they’ve ever sent data.

Therefore, personal information handled by any US service provider is vulnerable to inspection and storage by the US Government.

The Freedom of Information and Protection and Privacy Act (FoIPPA) in British Columbia has some stringent measures for protecting personal information collected by public bodies. Section 33.1 specifically lists the permitted ways in which data can be sent outside of Canada.

Investigations into the Patriot Act within BC resulted in 16 recommended changes to the law including:

“Legislation should be passed to make it an offence for a public body or a contractor to disclose personal information or send it outside Canada in response to a foreign court order, subpoena or warrant, with violation being punished by a fine of up to $1 million or a term of imprisonment, or both;”

Therefore, what should a public body in BC do? It can no longer comply with §33.1 of FoIPPA when working with US suppliers and vendors. It’s common knowledge that that Patriot Act is being used outside of the physical boundaries of the US which would potentially place a public body in breach of FoIPPA. Recommended legislative changes from BC’s Information and Privacy Commissioner would appear to solidify that position even more to protect the personal information of Canadians.

Does this mean no IBM, EMC or Amazon Cloud for us? It depends if you can avoid sending personal information to them.

No related posts.