June 03, 2013
Pat Flaherty provided comments to a recent Law Times article on how the U.S. Patriot Act, viewed by some as immoderately enabling access to personal information, has affected data storage for Canadian and international organizations. Read an excerpt of the article below.
“The Patriot Act has invoked unprecedented levels of apprehension and consternation. . . . The feared powers were available to law enforcement long before the passage of the Patriot Act through a variety of other legal instruments. In my view, these fears are largely overblown, and focusing on them unduly constitutes a pointless exercise,” wrote [Canadian Privacy Commissioner] Cavoukian.
“The critical question for institutions which have outsourced their operations across provincial or international borders is whether they have taken reasonable steps to protect the privacy and security of the records in their custody and control. I have always taken the position that you can outsource services, but you cannot outsource accountability.”
Wherever data ends up stored, Pat Flaherty, a partner in the privacy practice group at Torys LLP in Toronto, says it’s vital to work out which country’s laws will apply as part of a cloud computing relationship. “What’s new and unique with the cloud is that it is truly transnational in nature. Cloud providers often have multiple layers of parties involved in the delivery of their service, and there isn’t always full transparency about who is doing what to who and where,” he says.
“Providers are typically looking for the lowest cost, so lots of subcontracting is done to low-cost jurisdictions. You have to think about how you meet your transparency and disclosure obligations to your own customers when you may not even know who’s processing your data.”
Click here for the full article.