The use of cloud data storage and management services has increased dramatically over the last few years. The services are often marketed for increased convenience, accessibility, and cost efficiency. Yet one area that persists as a concern is the level of legal protection that is afforded to the security and privacy of the data being stored or managed by these services particularly, some would argue, in the US. Recently, several companies have launched new cloud-based data storage services within Canada’s borders and have marketed them as “a good choice for those concerned about privacy issues in US-based data centres”.
Much of the concern surrounding the privacy of cloud computing services based in the US is focused on issues arising from operation of the USA PATRIOT Act
or Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (Patriot Act)
. The Patriot Act
was introduced in 2001 following the attack on September 11 at the World Trade Center, increasing the powers of law enforcement and national security agencies to investigate and obtain intelligence relating to suspected terrorist activity.
The Patriot Act
received a lot of public attention in 2004, when the provincial government of British Columbia proposed to outsource some of the services associated with its medical plan including the storage of patient data, to US-based multinational corporations. The proposal was met with some resistance, most notably from the public-sector union which represented affected employees. The Privacy Commissioner of British Columbia carried out a public inquiry to investigate the potential privacy issue and recommended several restrictions on out-sourcing services involving personal data to foreign jurisdictions.
Companies considering cloud computing solutions should be aware that while Canada may not necessarily have an exact equivalent of the Patriot Act
, it does have legislation that allows Canadian authorities to assume not dissimilar powers in obtaining sensitive information, including search warrants under the Criminal Code
and the Canadian Security Intelligence Service Act
. There are also similar regimes found across Europe. Hence, regardless of where data resides, it may be subject to lawful disclosure to the applicable authorities.
For more commentary see:
Summary by: Thomas Wong