CLOUD COMPUTING & THE PATRIOT ACT: A RED HERRING? Lindsey Finch Senior Global Privacy Counsel Salesforce.com lfinch@salesforce.com David T.S. Fraser Partner McInnes Cooper David.fraser@mcinnescooper.com
CLOUD COMPUTING & THE PATRIOT ACT: A RED HERRING? I. Brief Overview of Cloud Computing II. Cloud Computing & Privacy A. Privacy Issues B. Privacy Benefits III. Cloud Computing & Jurisdictional Concerns A. Patriot Act B. Canadian Laws Akin to the Patriot Act C. Information Sharing Amongst Governments D. Myths & Realities IV. Practical Response A. Returning to First Principles B. Checklist for Service Provider Contracts
BRIEF OVERVIEW OF CLOUD COMPUTING Definition of Cloud Computing Oftentimes debated and little consensus Distributed computing architecture in which data and applications reside on servers separate from the user and are accessed via the Internet Applications and data are generally accessible from anywhere, provided you have an Internet connection Low cost of administration, scalable, greener Subscription-based, pay-as-you-go license User with Internet Access Remote Data Center Data entered by user is sent to data center for storage/processing and returned to user through an Internet browser interface
BRIEF OVERVIEW OF CLOUD COMPUTING Applications Moving to the Cloud 1960 s Mainframe 1980 s Client/server Today Cloud Computing Applications Platforms Moving to the Cloud 1960 s Mainframe 1980 s Client/server Today Cloud Computing Platforms
BRIEF OVERVIEW OF CLOUD COMPUTING Consumer versus Enterprise Offerings Consumer Offerings Oftentimes free of charge Almost always have take-it-or-leave-it terms of service Terms of service may be subject to change Provider may use customer data for advertising, other purposes to monetize offering Enterprise Offerings Typically charge a fee Sometimes terms of service are subject to negotiation Terms of service typically cannot be unilaterally changed Provider typically does not use customer data for purposes beyond providing the services
CLOUD COMPUTING & THE PATRIOT ACT: A RED HERRING? I. Brief Overview of Cloud Computing II. Cloud Computing & Privacy A. Privacy Issues B. Privacy Benefits III. Cloud Computing & Jurisdictional Concerns A. Patriot Act B. Canadian Laws Akin to the Patriot Act C. Information Sharing Amongst Governments D. Myths & Realities IV. Practical Response A. Returning to First Principles B. Checklist for Service Provider Contracts
CLOUD COMPUTING & PRIVACY Privacy Issues Control Does the provider claim ownership rights in customer data? Does the provider only use customer data as their customers instruct them or to fulfill their contractual or legal obligations? Does the provider only disclose customer data as required by law and, to the extent permitted by law, provide customers with prior notification of any such compelled disclosure? Data Location/Transfers Where are data centers located? Security Does the provider adhere to internationally-accepted security standards, such as the ISO 27002 framework? Does the provider have regular, third-party, independent audits of its security program? Negotiable contracts? Will the provider negotiate customer contracts?
BRIEF OVERVIEW OF CLOUD COMPUTING Benefits of Cloud Computing Professional Management More secure data centers More operational controls around data access More security resources Better auditability Data is not easily lost Single code base for remediating vulnerabilities One fix can benefit all customers simultaneously Sum of customer requirements benefit all customers Customers across multiple geographies, industries impose requirements on provider Same services used for all customers mean all customers benefit from each other s requirements
CLOUD COMPUTING & THE PATRIOT ACT: A RED HERRING? I. Brief Overview of Cloud Computing II. Cloud Computing & Privacy A. Privacy Issues B. Privacy Benefits III.Cloud Computing & Jurisdictional Concerns A. Patriot Act B. Canadian Laws Akin to the Patriot Act C. Information Sharing Amongst Governments D. Myths & Realities IV. Practical Response A. Returning to First Principles B. Checklist for Service Provider Contracts
Patriot Act: Overview of Law Brief History Signed into law on October 26, 2011 in response to the terrorist attacks against the U.S. on September 11, 2011 Amended existing laws governing intelligence activities Focus of Law Permit information-gathering related to matters of national security, particularly to combat world-wide terrorism and financing thereof Controversial Aspects Intelligence, surveillance, and information collection tools have been expanded Procedural hurdles for using such tools have been reduced Protections Embedded Involvement by all three branches of government in all instances Attempt to balance national security concerns with privacy rights
Issues for Canadians: Expanded Rights of U.S. Government Expands law enforcement and intelligence agencies surveillance and investigative powers Certain provisions prohibit recipient of order to reveal the order s existence, except to legal counsel Powers of surveillance and search/seizure extend to records of Canadians Powers could extend to records in the custody of US companies in Canada Canadian subsidiaries of US companies Canadian companies with US presence
Canadian Response to Patriot Act British Columbia British Columbia Government Employees Union (BCGEU) launched Right to Privacy Campaign (May 10, 2004)
Canadian Response to Patriot Act BC Commissioner s Inquiry Information and Privacy Commissioner of BC began inquiry into the Patriot Act and British Columbians privacy Spring 2004 Particularly focused on s. 215 secret court orders permitting seizure of any tangible thing Received over 500 submissions, including from the FBI and the U.S. service provider of BCGEU BC FOIPPA Amendments Before final Commissioner report, BC government introduced amendments to the BC Freedom of Information and Protection of Privacy Act Passed on October 19, 2004 Applicable to public sector bodies Wide prohibition against disclosures of personal information outside of Canada
Canadian Response to Patriot Act Alberta s Protection of Personal Information Act Applicable to private sector organisations 92(3) A person must not wilfully disclose personal information to which this Act applies pursuant to a subpoena, warrant or order issued or made by a court, person or body having no jurisdiction in Alberta to compel the production of information or purusant to a rule of court that is not binding in Alberta 92(4) A person who contravenes subsection (3) is guilty of an offence and liable (1)in the case of an individual, to a fine of not less than $2,000 and not more than $10,000, and (2)in the case of an other person, to a fine of not less than $200,000 and not more than $500,000
Canadian Response to Patriot Act Nova Scotia s Personal Information International Disclosure Protection Act Applicable to public sector bodies General rule: Personal information must be stored in Canada and accessed only from Canada General exceptions: Consent of the individual in the prescribed form Permitted disclosure under the Act Storage or access permitted by head of the public body Exceptions that may be granted by head of public body Head of public body can permit storage or access outside of Canada if the head considers the storage or access is to meet the necessary requirements of the public body s operation Head can impose restrictions and conditions Head must report all such decisions to the Minister within 90 days of the end of the relevant year
Canadian Response to Patriot Act Nova Scotia s Personal Information International Disclosure Protection Act Section 9(3) Law enforcement Public body that is a law enforcement agency may disclose personal information to (a) another law enforcement agency in Canada; or (b) a law enforcement agency in a foreign country under an arrangement, a written agreement, a treaty or an enactment of the Province, the Government of Canada or the Parliament Section 9(4) Electronic devices The head of a public body may allow a director, officer or employee of the public body to transport personal information outside Canada temporarily if the head consider it is necessary for the performance of the duties of the director, officer or employee to transport the information in a computer, a cell phone or another mobile electronic device
Canadian Response to Patriot Act Personal Information and Protection of Electronic Documents Act (PIPEDA) Applicable to private sector organizations except where there is a substantially similar provincial law Permits transfers of personal information outside of Canada when certain conditions are met Principle 4.1.3 of Schedule 1 An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
Canadian Response to Patriot Act Office of the Privacy Commissioner s Processing Personal Data Across Borders Guidelines Published in January 2009 Clearly sets forth conditions under which personal information may be transferred outside of Canada for processing purposes in compliance with PIPEDA
Canadian Laws Akin to the Patriot Act Anti-terrorism Act Passed by parliament and became law on December 24, 2001 Amended a range of statutes, including Criminal Code Canadian Security Intelligence Service Act (CSIS Act) National Defence Act
Canadian Laws Akin to the Patriot Act Interception of Email Interception of email in transit would require a wiretap order under the Criminal Code, CSIS Act or ministerial authorization under the National Defence Act Access to an email in storage would require a search warrant or production order under the Criminal Code or under the CSIS Act
Canadian Laws Akin to the Patriot Act CSIS Act Allows secret order from secret court (specially designated judges from the Federal Court) Allows a secret warrant authorizing Interception of communication Obtaining any information, record, document or thing Can obtain these by Entering any place Searching, removing and examining any thing To install, maintain or remove any thing
Canadian Laws Akin to the Patriot Act National Defence Act Provisions added by the Anti-terrorism Act refer to the Communications Security Establishment (the Canadian NSA) Minister (not court) can authorize interception, for the purpose of foreign intelligence, of private communications directed at foreign entities located outside of Canada Note: foreign intelligence means information or intelligence about the capabilities, intentions or activities of a foreign individual, state, organization, or terrorist group, as they relate to international affairs, defence or security
Information Sharing Amongst Government Canadian and US intelligence agencies share vast amounts of information Mutual legal assistance treaties (MLATs) allow Canadian authorities to get warrants for US authorities, and vice versa Arrangement exist for informal sharing related to targets of mutual interest Canadian authorities can get information in the US without a warrant and American authorities can get information in Canada without a warrant
Myths & Realities: How are Canadian Laws Different than the Patriot Act? Reality: most of the provisions of the Patriot Act are mirrored in Canadian law Reality: Canada has a secret court that allows ex parte applications for warrants, including sneak and peak warrants Reality: Canada has warrantless wiretap powers for international communications, same as in the US Reality: There is a huge degree of cooperation between Canadian and US authorities, both formal and informal
CLOUD COMPUTING & THE PATRIOT ACT: A RED HERRING? I. Brief Overview of Cloud Computing II. Cloud Computing & Privacy A. Privacy Issues B. Privacy Benefits III. Cloud Computing & Jurisdictional Concerns A. Patriot Act B. Canadian Laws Akin to the Patriot Act C. Information Sharing Amongst Governments D. Myths & Realities IV. Practical Response A. Returning to First Principles B. Checklist for Service Provider Contracts
Returning to First Principles 1. Original data custodian remains accountable 2. Original data custodian should make informed choices about service providers 3. Original data custodial should take a risk-based approach 4. Most Canadian laws permit cross-border transfers
Checklist for Service Provider Contracts Ownership Ensure the cloud provider claims no ownership right in customer data Use Ensure the cloud provider only use customer data as instructed by its respective customers or to fulfill the provider s contractual or legal requirements Disclosure Ensure the cloud provider only discloses customer data where required by law and, to the extent permitted by law, provides prior notification of compelled disclosure to the impacted customer Security Ensure the cloud provider maintains a robust security management system based on an internationally accepted security framework (such as ISO 27002) Ensure the cloud provider offers a selection of security features to implement in its customers usage of cloud services Audit Ensure the cloud provider uses independent, third-party auditors to ensure compliance with its security management system Data Location Ensure the cloud provider will specify the country(ies) in which customer data will be stored Breach Notification Ensure the cloud provider will promptly notify customers of known security breaches that affect the confidentiality or integrity of their respective customer data.
THANK YOU Lindsey Finch Senior Global Privacy Counsel Salesforce.com lfinch@salesforce.com David T.S. Fraser Partner McInnes Cooper David.fraser@mcinnescooper.com