CLOUD COMPUTING & THE PATRIOT ACT:
A RED HERRING?
Lindsey Finch
Senior Global Privacy Counsel
Salesforce.com
David T.S. Fraser
Partner
McInnes Cooper
CLOUD COMPUTING & THE PATRIOT ACT:
A RED HERRING?
I. Brief Overview of Cloud Computing
II. Cloud Computing & Privacy A. Privacy Issues
B. Privacy Benefits
III. Cloud Computing & Jurisdictional Concerns A. Patriot Act
B. Canadian Laws Akin to the Patriot Act
C. Information Sharing Amongst Governments
D. Myths & Realities
IV. Practical Response A. Returning to First Principles
B. Checklist for Service Provider Contracts
Definition of Cloud Computing • Oftentimes debated and little consensus
• Distributed computing architecture in which data and applications reside on servers separate from the user and are accessed via the Internet
• Applications and data are generally accessible from anywhere, provided you have an Internet connection
• Low cost of administration, scalable, greener
BRIEF OVERVIEW OF CLOUD COMPUTING
User with Internet Access Remote Data Center
Subscription-based,
pay-as-you-go license
Data entered by user is sent to data center for storage/processing
and returned to user through an Internet browser interface
BRIEF OVERVIEW OF CLOUD COMPUTING
Applications Moving to the Cloud
Today Cloud Computing Applications
1960’s Mainframe
1980’s Client/server
Platforms Moving to the Cloud
Today Cloud Computing Platforms
1960’s Mainframe
1980’s Client/server
BRIEF OVERVIEW OF CLOUD COMPUTING
Consumer versus Enterprise Offerings
• Consumer Offerings
– Oftentimes free of charge
– Almost always have take-it-or-leave-it terms of service
– Terms of service may be subject to change
– Provider may use customer data for advertising, other purposes to monetize offering
• Enterprise Offerings
– Typically charge a fee
– Sometimes terms of service are subject to negotiation
– Terms of service typically cannot be unilaterally changed
– Provider typically does not use customer data for purposes beyond providing the services
CLOUD COMPUTING & THE PATRIOT ACT:
A RED HERRING?
I. Brief Overview of Cloud Computing
II. Cloud Computing & Privacy A. Privacy Issues
B. Privacy Benefits
III. Cloud Computing & Jurisdictional Concerns A. Patriot Act
B. Canadian Laws Akin to the Patriot Act
C. Information Sharing Amongst Governments
D. Myths & Realities
IV. Practical Response A. Returning to First Principles
B. Checklist for Service Provider Contracts
CLOUD COMPUTING & PRIVACY
Privacy Issues
• Control
– Does the provider claim ownership rights in customer data?
– Does the provider only use customer data as their customers instruct them or to fulfill their contractual or legal obligations?
– Does the provider only disclose customer data as required by law and, to the extent permitted by law, provide customers with prior notification of any such compelled disclosure?
• Data Location/Transfers
– Where are data centers located?
• Security
– Does the provider adhere to internationally-accepted security standards, such as the ISO 27002 framework?
– Does the provider have regular, third-party, independent audits of its security program?
• Negotiable contracts?
– Will the provider negotiate customer contracts?
BRIEF OVERVIEW OF CLOUD COMPUTING
Benefits of Cloud Computing
• Professional Management
– More secure data centers
– More operational controls around data access
– More security resources
– Better auditability
– Data is not easily lost
• Single code base for remediating vulnerabilities
– One fix can benefit all customers simultaneously
• Sum of customer requirements benefit all customers
– Customers across multiple geographies, industries impose requirements on provider
– Same services used for all customers mean all customers benefit from each other’s requirements
CLOUD COMPUTING & THE PATRIOT ACT:
A RED HERRING?
I. Brief Overview of Cloud Computing
II. Cloud Computing & Privacy A. Privacy Issues
B. Privacy Benefits
III.Cloud Computing & Jurisdictional Concerns A. Patriot Act
B. Canadian Laws Akin to the Patriot Act
C. Information Sharing Amongst Governments
D. Myths & Realities
IV. Practical Response A. Returning to First Principles
B. Checklist for Service Provider Contracts
CLOUD COMPUTING & JURISDICTIONAL CONCERNS
Patriot Act: Overview of Law
• Brief History
– Signed into law on October 26, 2011 in response to the terrorist attacks against the U.S. on September 11, 2011
– Amended existing laws governing intelligence activities
• Focus of Law
– Permit information-gathering related to matters of national security, particularly to combat world-wide terrorism and financing thereof
• Controversial Aspects
– Intelligence, surveillance, and information collection tools have been expanded
– Procedural hurdles for using such tools have been reduced
• Protections Embedded
– Involvement by all three branches of government in all instances
– Attempt to balance national security concerns with privacy rights
CLOUD COMPUTING & JURISDICTIONAL CONCERNS
Issues for Canadians: Expanded Rights of U.S. Government
• Expands law enforcement and intelligence agencies’ surveillance and investigative powers
• Certain provisions prohibit recipient of order to reveal the order’s existence, except to legal counsel
• Powers of surveillance and search/seizure extend to records of Canadians
• Powers could extend to records in the custody of
– US companies in Canada
– Canadian subsidiaries of US companies
– Canadian companies with US presence
Canadian Response to Patriot Act
• British Columbia
– British Columbia Government Employees Union (BCGEU) launched “Right to Privacy Campaign” (May 10, 2004)
CLOUD COMPUTING & JURISDICTIONAL CONCERNS
Canadian Response to Patriot Act
• BC Commissioner’s Inquiry
– Information and Privacy Commissioner of BC began inquiry into the Patriot Act and British Columbians’ privacy – Spring 2004
– Particularly focused on s. 215 – secret court orders permitting seizure of “any tangible thing”
– Received over 500 submissions, including from the FBI and the U.S. service provider of BCGEU
• BC FOIPPA Amendments
– Before final Commissioner report, BC government introduced amendments to the BC Freedom of Information and Protection of Privacy Act
– Passed on October 19, 2004
– Applicable to public sector bodies
– Wide prohibition against disclosures of personal information outside of Canada
CLOUD COMPUTING & JURISDICTIONAL CONCERNS
CLOUD COMPUTING & JURISDICTIONAL CONCERNS
Canadian Response to Patriot Act
• Alberta’s Protection of Personal Information Act
– Applicable to private sector organisations
– 92(3) A person must not wilfully disclose personal information to which this Act applies pursuant to a subpoena, warrant or order issued or made by a court, person or body having no jurisdiction in Alberta to compel the production of information or purusant to a rule of court that is not binding in Alberta
– 92(4) A person who contravenes subsection (3) is guilty of an offence and liable
(1)in the case of an individual, to a fine of not less than $2,000 and not more than $10,000, and
(2)in the case of an other person, to a fine of not less than $200,000 and not more than $500,000
CLOUD COMPUTING & JURISDICTIONAL CONCERNS
Canadian Response to Patriot Act
• Nova Scotia’s Personal Information International Disclosure Protection Act
– Applicable to public sector bodies
– General rule:
• Personal information must be stored in Canada and accessed only from Canada
– General exceptions:
• Consent of the individual in the prescribed form
• Permitted disclosure under the Act
• Storage or access permitted by head of the public body
– Exceptions that may be granted by head of public body
• Head of public body can permit storage or access outside of Canada if the head considers the storage or access is to meet the necessary requirements of the public body’s operation
• Head can impose restrictions and conditions
• Head must report all such decisions to the Minister within 90 days of the end of the relevant year
CLOUD COMPUTING & JURISDICTIONAL CONCERNS
Canadian Response to Patriot Act
• Nova Scotia’s Personal Information International Disclosure Protection Act
– Section 9(3) – Law enforcement
• Public body that is a law enforcement agency may disclose personal information to
(a) another law enforcement agency in Canada; or
(b) a law enforcement agency in a foreign country under an arrangement, a written agreement, a treaty or an enactment of the Province, the Government of Canada or the Parliament
– Section 9(4) – Electronic devices
• The head of a public body may allow a director, officer or employee of the public body to transport personal information outside Canada temporarily if the head consider it is necessary for the performance of the duties of the director, officer or employee to transport the information in a computer, a cell phone or another mobile electronic device
CLOUD COMPUTING & JURISDICTIONAL CONCERNS
Canadian Response to Patriot Act
• Personal Information and Protection of Electronic Documents Act (PIPEDA)
– Applicable to private sector organizations except where there is a “substantially similar” provincial law
– Permits transfers of personal information outside of Canada when certain conditions are met
– Principle 4.1.3 of Schedule 1
• An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
CLOUD COMPUTING & JURISDICTIONAL CONCERNS
Canadian Response to Patriot Act
• Office of the Privacy Commissioner’s Processing Personal Data Across Borders Guidelines
– Published in January 2009
– Clearly sets forth conditions under which personal information may be transferred outside of Canada for processing purposes in compliance with PIPEDA
CLOUD COMPUTING & JURISDICTIONAL CONCERNS
Canadian Laws Akin to the Patriot Act
• Anti-terrorism Act
– Passed by parliament and became law on December 24, 2001
– Amended a range of statutes, including
• Criminal Code
• Canadian Security Intelligence Service Act (CSIS Act)
• National Defence Act
CLOUD COMPUTING & JURISDICTIONAL CONCERNS
Canadian Laws Akin to the Patriot Act
• Interception of Email
– Interception of email in transit would require a wiretap order under the Criminal Code, CSIS Act or ministerial authorization under the National Defence Act
– Access to an email in storage would require a search warrant or production order under the Criminal Code or under the CSIS Act
CLOUD COMPUTING & JURISDICTIONAL CONCERNS
Canadian Laws Akin to the Patriot Act
• CSIS Act
– Allows secret order from secret court (specially designated judges from the Federal Court)
– Allows a secret warrant authorizing
• Interception of communication
• Obtaining any information, record, document or thing
– Can obtain these by
• Entering any place
• Searching, removing and examining any thing
• To install, maintain or remove any thing
CLOUD COMPUTING & JURISDICTIONAL CONCERNS
Canadian Laws Akin to the Patriot Act
• National Defence Act
– Provisions added by the Anti-terrorism Act refer to the Communications Security Establishment (the Canadian NSA)
– Minister (not court) can authorize interception, for the purpose of foreign intelligence, of private communications directed at foreign entities located outside of Canada
– Note: “foreign intelligence” means information or intelligence about the capabilities, intentions or activities of a foreign individual, state, organization, or terrorist group, as they relate to international affairs, defence or security
CLOUD COMPUTING & JURISDICTIONAL CONCERNS
Information Sharing Amongst Government
• Canadian and US intelligence agencies share vast amounts of information
• Mutual legal assistance treaties (MLATs) allow Canadian authorities to get warrants for US authorities, and vice versa
• “Arrangement” exist for informal sharing related to targets of mutual interest
• Canadian authorities can get information in the US without a warrant and American authorities can get information in Canada without a warrant
CLOUD COMPUTING & JURISDICTIONAL CONCERNS
Myths & Realities: How are Canadian Laws Different than the Patriot Act?
• Reality: most of the provisions of the Patriot Act are mirrored in Canadian law
• Reality: Canada has a “secret court” that allows ex parte applications for warrants, including sneak and peak warrants
• Reality: Canada has warrantless wiretap powers for international communications, same as in the US
• Reality: There is a huge degree of cooperation between Canadian and US authorities, both formal and informal
CLOUD COMPUTING & THE PATRIOT ACT:
A RED HERRING?
I. Brief Overview of Cloud Computing
II. Cloud Computing & Privacy A. Privacy Issues
B. Privacy Benefits
III. Cloud Computing & Jurisdictional Concerns A. Patriot Act
B. Canadian Laws Akin to the Patriot Act
C. Information Sharing Amongst Governments
D. Myths & Realities
IV. Practical Response A. Returning to First Principles
B. Checklist for Service Provider Contracts
CLOUD COMPUTING & JURISDICTIONAL CONCERNS
Returning to First Principles
1. Original data custodian remains accountable
2. Original data custodian should make informed choices about service providers
3. Original data custodial should take a risk-based approach
4. Most Canadian laws permit cross-border transfers
CLOUD COMPUTING & JURISDICTIONAL CONCERNS
Checklist for Service Provider Contracts Ownership
Ensure the cloud provider claims no ownership right in customer data
Use
Ensure the cloud provider only use customer data as instructed by its respective customers or to fulfill the provider’s contractual or legal requirements
Disclosure Ensure the cloud provider only discloses customer data where required by law and, to the extent
permitted by law, provides prior notification of compelled disclosure to the impacted customer
Security
Ensure the cloud provider maintains a robust security management system based on an internationally accepted security framework (such as ISO 27002)
Ensure the cloud provider offers a selection of security features to implement in its customers’ usage of cloud services
Audit
Ensure the cloud provider uses independent, third-party auditors to ensure compliance with its security management system
Data Location
Ensure the cloud provider will specify the country(ies) in which customer data will be stored
Breach Notification
Ensure the cloud provider will promptly notify customers of known security breaches that affect the confidentiality or integrity of their respective customer data.
THANK YOU
Lindsey Finch
Senior Global Privacy Counsel
Salesforce.com
David T.S. Fraser
Partner
McInnes Cooper