November 21, 2012
As electronic information accumulates into virtual mountains, the ease and low cost of storing it offsite or outsourcing software functions can be irresistible to businesses looking to cut expenses in any way they can. But since this often involves the transfer of personal information, experts say the increasingly ubiquitous "cloud" can also create unforeseen headaches when that information ends up outside Canada.
When data end up stored outside of Canada, they will also be subject to foreign laws, something that led to heightened concern when the U.S. Patriot Act came into force following the terrorist attacks of Sept. 11, 2001, as it gave authorities south of the border expanded search and seizure powers.
"It created a lot of anxiety in Canada and other places about the processing or storage of personal information in the United States," said Patrick Flaherty, a partner at Torys with technology and privacy litigation experience.
In handling a 2004 complaint against Canadian Imperial Bank of Commerce with respect to its storage of credit card data in the U.S., the privacy commissioner ultimately found the bank met its Canadian privacy law obligations because it told its customers that this cross-border data processing and storage was happening, Pat said.
“Some of that Patriot Act-based concern has abated a bit because parties’ obligations here are clearer,” he said. “I think with the cloud, the interesting implications with it are that it’s truly trans-national in nature. In many cloud arrangements, you can have multiple jurisdictions in which the parties who provided the data or who are processing the data are located … and it creates some uncertainty about whose law will apply when.”
While cloud-based services offer businesses the chance to substantially lower their IT costs — by as much as 25% to 30% — and free up their in-house IT department to work on more innovative tasks, Pat said, “You have to balance the cost savings with the risk posed by the mass outsourcing of data.”
The consequences for mishandling data and breaching privacy could range from regulatory fines to class-action suits.
“But the reality is that while the cloud has a certain kind of sex appeal and currency right now, the fact is that many email systems — and all kinds of systems that we’ve been living with and using for years — have features or functions of this outsourcing in foreign jurisdictions,” Pat said. “So it’s not a new problem, it’s just perhaps more prominent now given the attention that’s being paid to cloud issues.
Read the full article here.