Law Times

Page 10 January 21, 2013 Law Times • FOCUS Privacy issues grow as cloud computing mushrooms Transnational nature, control of information among biggest concerns BY Julius Melnitzer "It's often not clear about which country's laws apply and when they apply," says Flaherty. "Different legal systems often have different concepts s cloud computing mushrooms, so do the privacy of jurisdiction." issues surrounding it. For example, the United States asserts subject-matter "Cloud computing is on everyone's radar because jurisdiction over any cloud arrangement that has access of the cost savings associated with it," says Patrick to that country. Flaherty of Torys LLP's Toronto office. "No one set of laws will ever answer "Frequently, however, the cloud all the questions," says Flaherty. presents as a choice: convenience and "The key, however, is to ensure that efficiency or privacy." you're complying with local laws reTo be sure, some of the privacy isgarding the transfer of data." sues related to the cloud are old-world From a Canadian perspective, due concerns. "E-mail or at least part of it diligence in terms of asking where has been in the cloud for years," Fladata is going and who will have access herty notes. "And concerns about outis also critical. sourcing are really nothing new either." "Canada's privacy commissioners What's dominating the discussion have done an excellent job in formulating these days are the issues that arise from guidelines and checklists," says Flaherty. the transnational nature of the entities The reality, however, is that the most participating in the phenomenom. cost-effective cloud services involve "It is not unusual to have a transnastandard form contracts, especially if tional cast of characters behind a cloud they're free. provider," says Flaherty. "For example, a "Even when someone's paying for 'Because the cloud model entails some provider operating in the United States sacrifice of control, organizations need to the services, only very high-volume can be dealing with personal information look carefully at the kind of control they users may be able to negotiate out the of users in Canada and Australia while will need in dealing with data,' says Dan bumps in the standard forms," says Flautilizing data processors in India who Michaluk. herty. "But that's just a function of maraccess the data on servers located in Uruket power, and all people can do is reguay, all of which is backed up on servers in Ireland." main sufficiently sensitized and use whatever contractual Providers also want to access low-cost jurisdictions that techniques they can to mitigate risk." have cheaper labour, but many of these jurisdictions don't What also complicates due diligence is the lack of unihave robust privacy laws, making it difficult for companies versal or indeed any standards for assessing privacy risk, to meet their accountability obligations. a task that requires consideration of the economic, socioOther concerns relate to the fact that data may be at risk logical, and risk environments. when stored in developing countries that have histories "There is nothing in the nature of country rating reports of totalitarian regimes and the continuing uncertainty to help with the evaluation, which means that you're left about the applicability of laws relating to jurisdiction. with a rather difficult analysis," says Dan Michaluk of Hicks For Law Times A Morley Hamilton Stewart Storie LLP's Toronto office. "All you can do is to put on your reasonable custodian hat and make a judgment as to whether it's reasonable to put personal information into any particular country." These difficulties, Michaluk adds, are barriers to the adoption of cloud computing. "What we're seeing is an increasing sensitivity among data custodians who are shying away from wholesale adoption of cloud computing and approaching it on more of a one-system-a-time basis starting with the systems that contain the least sensitive personal information." Michaluk also cautions custodians not to forget that sacrificing control is as much of an issue in cloud computing as is the location of the information. On-premise computing, he notes, allows the greatest degree of control. Hosting relationships involve giving up some control but have the advantage of operating in one-to-one relationship environments. "In other words, you still have a reasonable degree of control because the relationship is structured to accommodate that control," says Michaluk. "But cloud computing de-emphasizes fine-grain control." Control can be an issue in various contexts, including data-breach investigations. "The freedom to investigate when the data is on the premises is very broad," says Michaluk. "But generally, there's a great lack of transparency about what's going on in the cloud." An organization may not know where its cloud provider keeps data or whether it has stored it in multiple places. As a result, it may face delays and difficulties in getting to the data and figuring out what has transpired. "Because the cloud model entails some sacrifice of control, organizations need to look carefully at the kind of control they will need in dealing with data," says Michaluk. Among the questions organizations should ask themselves are whether investigations are likely to arise, who's going to do the data extraction, will the form of extraction be sufficient for the organization's needs, and what the extraction will cost. LT A OF CANADIAN LEGAL NEWS DAILY BLOG WWW.CANADIANLAWYERMAG.COM/LEGALFEEDS C POWERED BY CANADIAN LAWYER & LAW TIMES LegalFeeds-1/2-LT-Apr23-12 2.indd 1 www.lawtimesnews.com 12-04-24 12:17 PM

• Cover