Law Times

Page 10 June 3, 2013 Law Times • FOCUS Patriot Act driving businesses offshore But companies warned about legal, privacy pitfalls in outsourcing IT needs BY MICHAEL McKIERNAN For Law Times W aning fear about the U.S. Patriot Act is helping drive Canadian businesses offshore in search of cloud-computing solutions. When it passed following the Sept. 11, 2001, terror attacks, observers billed the Patriot Act as a transformational boost in the U.S. government's seizure powers. As a result, the legislation has traditionally frightened off Canadian companies from storing personal information there. But that has changed, according to Robert Percival, co-chairman of Norton Rose Canada LLP's technology and outsourcing teams. "There has been a lot of fear and uncertainty around the Patriot Act, and in fact, I think a lot of misunderstanding around it," says Percival. "If I'm a Canadian business, the Patriot Act really shouldn't be a barrier other than perhaps having to provide notice to my customers that data is located outside the country. It's really not an issue that's unique to U.S. organizations. There are Canadian statutes in place that have a similar impact in enabling privacy protection afforded the authorities to require by a U.S. service provider disclosure in anti-terror is comparable to that of a type cases and a number Canadian-based provider." of bilateral agreements be"The Patriot Act has intween the U.S. and Canada voked unprecedented levels that allow security organiof apprehension and conzations to exchange persternation. . . . The feared sonal information." powers were available to Last year, a special inveslaw enforcement long betigation by the Office of the fore the passage of the PaInformation and Privacy triot Act through a variety Commissioner into the liof other legal instruments. censing automation system In my view, these fears are at the province's Ministry of largely overblown, and Natural Resources helped focusing on them unduly lay to rest some of the myths about the Patriot Act fol- 'You can't take a great deal of comfort constitutes a pointless exerlowing a complaint from an that the cloud contractor is going to be on cise," wrote Cavoukian. "The critical question MPP about the storage of the hook for failing to deliver,' says Robert for institutions which have personal information south Percival. outsourced their operaof the border. In her report, commissioner Ann Ca- tions across provincial or international borvoukian emphasized that Ontario has no leg- ders is whether they have taken reasonable islative prohibition on the storage of personal steps to protect the privacy and security of information outside Canada and endorsed a the records in their custody and control. I finding by her federal counterpart that "the have always taken the position that you can CANADIAN LAW LIST 2013 YOUR INSTANT CONNECTION TO CANADA'S LEGAL NETWORK Inside you will find: of more than 58,000 barristers, solicitors and Quebec notaries, corporate counsel, law firms and judges in Canada; for the Supreme Court of Canada, the Federal Court of Canada, Federal Cabinet Ministers, departments, boards, commissions and Crown corporations; February each year L88804-590 L88804-590 Prices subject to change without notice, to applicable taxes and shipping & handling. related to each province for the Courts of Appeal, Supreme Courts, County and District Courts, Provincial Courts, law societies, law schools, Legal Aid, and other law-related offices of importance. MORE THAN A PHONE BOOK Visit carswell.com or call 1.800.387.5164 for a 30-day no-risk evaluation Untitled-1 1 www.lawtimesnews.com 13-01-29 3:10 PM outsource services, but you cannot outsource accountability." Wherever data ends up stored, Pat Flaherty, a partner in the privacy practice group at Torys LLP in Toronto, says it's vital to work out which country's laws will apply as part of a cloud computing relationship. "What's new and unique with the cloud is that it is truly transnational in nature. Cloud providers often have multiple layers of parties involved in the delivery of their service, and there isn't always full transparency about who is doing what to who and where," he says. "Providers are typically looking for the lowest cost, so lots of subcontracting is done to lowcost jurisdictions. You have to think about how you meet your transparency and disclosure obligations to your own customers when you may not even know who's processing your data." Percival says businesses should perform the same sorts of checks on a cloud provider as they would with any other outsourcer in a more traditional line of business. "By putting data in the cloud . . . you're effectively giving up a degree of control over it. You are no longer the custodian," he says, adding that the depth of the investigation depends on the nature of the data. "In a low-risk scenario where you're storing a bunch of non-proprietary data that maybe doesn't matter that much, it may be that you care less about security or where it is. If it is material to your business, you have a different set of considerations to think about. How are they backing it up and securing it against intrusion, loss, and viruses? Not only what's being done to protect it but how you can verify it?" Percival says one way to achieve a level of certainty about issues such as legal jurisdiction and performance levels is to include provisions for them in the service contract. But in an industry that leans strongly towards standard-form contracts, that can be problematic, he says. "These long contracts have the illusion of commitments around service levels, but when you look hard at it, there's not much meat there. You can't take a great deal of comfort that the cloud contractor is going to be on the hook for failing to deliver. I think often there are a lot of unrealistic expectations on the contractual side about what you're getting. Most private providers are built on a model where there's not a lot of intent to negotiate custom arrangements." Flaherty says tailoring is possible but notes it could prove expensive and cut into the savings businesses hope to achieve by using the service in the first place. "Unless you're a real volume cloud buyer, it's hard to negotiate the standard forms and conditions which typically minimize the risk of providers," he says. LT

• Cover