Cloud computing is the most visible piece of the vast cross-border movement of information and revenue that characterizes the Web 2.0 era. However, across the world’s longest undefended border – between the U.S. and Canada – the high profile national security law, the USA Patriot Act (actually an acronym that stands for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism), has become a major concern. That’s because the law broadens the powers of the U.S. government to seize information and does not require that parties be informed. Couple that fact with the provisions of various Canadian privacy and security regulations and you have a mixture that is putting a chill on cross-border IT services.
David Black, chief information security officer for Aon eSolutions, is one of those affected. His U.S.-based company, which offers a number of hosted products, has had many Canadian clients express concerns about working with a company based in the U.S. because of fears that data security and privacy could be rendered ineffective by provisions of the Patriot Act.
“We have run into many clients with these concerns so we have been doing a lot of research and ultimately scheduled some face-to-face time to try to reassure them,” said Black. Most concerns center on the Patriot Act, complicated by a variety of regulations put in place at the provincial level. “There are separate provisions in Nova Scotia and British Columbia that seem to say you can’t store data outside of the country, but the fine print offers many exceptions.”
“At the federal level, the Office of the Privacy Commissioner of Canada has made it clear that it is not against the law to work across the border. They think anything like that would hinder Canada,” said Black. However, there is an implicit assumption that Canadian companies will perform due diligence to ensure that contractual protections are in place and that providers are in a position to live up to their promises.
Still, Black believes the uncertainty has led many Canadian companies to develop internal policies forbidding trans-border data transfers.
Scott Crawford, managing research director at Enterprise Management Associates, said the problem needs to be viewed in terms of the relatively modest level of adoption for cloud in general. It is, he said, one more element making adoption problematic. “If you are giving up some control over your data, at a minimum you want transparency so that you can understand how and where your data is being handled,” he says. He likened it to another potential legal issue, namely “shared tenancy.”
“Shared tenancy is the issue of whether, for example, it should be acceptable for a regulator and a regulated entity to have data hosted at the same place,” he explained. Indeed, Crawford said “negotiations around liability and indemnification are the sorest sticking point in any negotiations involving cloud computing.” In terms of meeting concerns about maintaining data only within certain geographies, attempting to put in place such limits undermines the fundamental value proposition of the cloud. “If you did that you would end up with just an outsourced building and data center,” he said.
Theo Ling, head of the privacy practice at Baker & McKenzie in Canada, believes the problems have been overstated and have only been given more prominence due to the controversy surrounding the Patriot Act as well as the recent growth in cloud computing. “In the vast majority of situations there is no prohibition on transferring data,” he said. The few exceptions are primarily in the public sector.
What is generally required under privacy legislation in Canada is that certain steps must be taken to try to ensure that that data is being adequately protected and that the people whose data is being transferred know about it so they have some ability to consent, Ling explained. In addition, Ling said U.S.-based service providers should be contracted to maintain data privacy and protect data to the standards prescribed in Canadian law.
Regarding the Patriot Act specifically, Ling said “it is bit of a red herring” because existing laws and bilateral agreements and cooperation between national law enforcement agencies would probably come into play if information on Canadian citizens or Canadian entities was of interest to U.S. investigators. “They would still be likely to work through those lawful channels whether the data was in Canada or in the U.S., so nothing much has changed,” he explained.
Although the concerns involving harmonizing U.S. and Canadian laws may prove to be manageable, Ling did acknowledge that the challenge of harmonizing legal structures for cross-border IT trade is really a global one. “It will probably take years to work out all the issues but at least there is now an ISO standard for security, so that is a starting point,” he said.
Alan R. Earls is a writer specializing in business and technology. He is based in the Boston area.
For related articles, visit Internet.com’s new Cloud Computing site.
Follow Enterprise Storage Forum on Twitter.