Legal considerations for Canadian Cloud hosting

Last week SunGard announced the opening of a Canadian data centre to host Canadian cloud environments.

This simple announcement spread like wildfire through social media for one major reason, the Patriot Act. It seems like there are 2 sides when it comes to discussions around the Patriot Act; those who use it as an excuse to not undertake IT projects (“Sorry, we’d love to outsource our IT, but you don’t have a  Canadian-based data centre, and you know we have to comply with the Patriot Act.”) and those who see it as a way to innovate.

The Patriot Act was a reflex answer to 9/11, a way to give the US Government power of all data held on US soil. This led to the creation of companies such as IBM Canada and Microsoft Canada (since US companies can’t hold our data either) as a way to comply with Canadian legislation. In fact, in Alberta and moreso in British Columbia, the data privacy requirements are even more strict. So what does this mean for the future of Cloud in Canada? Does this mean we have forego the unique benefits that cloud offers and just accept services from Canadian corporations without due diligence? Not necessarily.

Cloud computing has a large amount of benefits due to infinite storage potential and elasticity. But the accumulation of data containing personal information in these environments increases the risks exponentially and the impact of a breach. If this happens outside Canada where foreign laws apply, it becomes even more problematic. This is why it is so critical to perform due diligence with your cloud provider before signing an agreement where your data (especially data subject to the Patriot Act) resides in their cloud environments. But what does this entail?

First, ask your cloud provider to provide specific information on the circumstances of which the provider can use your data. It should only be used with your consent, and remain solely your property. If the provider is required to disclose information about your data, it should only be done without your consent in specific situations, and if you can, consider including a liquidated damages provision for any disclosure without consent. This is because if there damage caused by the disclosure, the provider may make it hard for you to claim a specific amount as quantifying damage is very subjective.

Second, find out if your service provider is under a requirement to refute (as much as the law allows) the disclosure of information without your consent, or are they under an obligation to cooperate with your organization in any audit and to not deal with any regulators without your consent or participation. What kind of security provisions are in place such as regulation compliant environments? How often are they audited, and who does the work? Is it a Canadian firm, or a foreign one?

The third key area you want to focus on when it comes to selecting a service provider that meets the regulations of Canadian legislation is around data classification. Make sure that your personal data is protected by the right safeguards and that it is excluded from the general limit (if not completely excluded) of liability. If sensitive or business critical data is breached, it should have a higher liability penalty than regular non-critical data. This is to ensure that the provider focuses on this data primarily, not just the whole environment as a whole. Ask your provider if there are different data classifications and security controls, and most importantly where does the data reside physically. What happens to the data if you move to another service provider or terminate the service? You want a specific deletion schedule that explains timelines for deletion, controls to ensure the data is eliminated along with the destruction of backup or duplicate sources of the data. How can data be moved to a new provider, is there a migration path?

While most of these controls focus on personal information, it is important to note that you need to ensure your service provider agreement includes the same provisions who information that falls outside the legislation. While business critical information such as financial data, business plans and patents are not classified as personal data under PIPEDA, these are just as important as your customer information and need to be considered in the same context.

As more Canadian-based cloud service providers become available, it is important to remember that many of these providers are subsidiaries of US firms. This means that although they have a Canadian data centre, the data may be moved to other global locations for maintenance or load balancing. It is your responsibility to ensure that you include in your contract provisions that restrict this movement, and the requirement for your provider to comply with Canadian legislation.

Advertisements

Comments

  1. Great article. These questions come up all the time. In fact, we have a potential customer that is concerned that the US can seize their data via the US Patriot Act because our equipment is housed in a facility owned by an American company.

    To clarify, we host our customers data on our IT infrastructure, owned and managed by us (a Canadian company). We rent co-location space in a computer data centre in Toronto, which is owned by a US company.

    Do the US laws regarding access and seizure of assets apply to us in Canada?

    • Hi Greg, this is a great question. Honestly, no matter where you host your data, the US and Canada have agreements to perform warrant-less access to your data. But as it relates to the Patriot Act, it focuses on where data is hosted, so hosting on Canadian soil (with a Canadian IP address) is they key factor that will affect the legislation.

      The caveat here is that you need to put a provision in your SLA that states your data cannot be moved trans-border in order to comply with Canadian data legislation. By having this clearly stated in your SLA, it should be easier to show your auditor that you are not in violation of this requirement.

      I hope that provides some clarification.

      Andrea

  2. Interesting article Andrea.

    Full disclosure – Much of the growth of RackForce’s hosting/cloud business (Canadian Owned and Based) has been driven by customers with Patriot Act concerns but they still wanted to have a North American presence. To date we have have hosted over 10,000 customers from 100 countries with the majority of our “International” customers from the US.

    We have seen many requests from US authorities to disclose data (mostly for US companies). Since we operate under Canadian law only we advise them to work with Canadian authorities. 99% of the time the process ends at this point which makes us wonder how serious the request really was.

    Even if it is possible to protect Canadian data stored in the US or with US companies with hosting based in Canada it seems to me that the complicated process to figure out if your data is safe is the real problem. How do you keep on top of this?

    In the meantime Canada’s efficiency is greatly slipping while data privacy is used as a good reason not to move to the cloud. I think we desperately need to grow our Canadian Based Cloud Ecosystem and educate people that quality cloud hosting does exist and is flourishing in Canada.

  3. This is really attention-grabbing, You’re an excessively skilled blogger. I’ve joined your rss feed and look ahead to in quest of more of
    your wonderful post. Also, I’ve shared your site in my social networks

Trackbacks

  1. […] known as ‘Cloud Privacy-By-Design’. The team at the Onta As Andrea explains in this earlier blog, Patriot […]

  2. […] is such a hot topic. As Andrea talks about in this earlier blog the mention of Cloud Computing is usually quickly followed by concerns about the USA`s Patriot Act. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: