How Are Canadians Affected By The USA Patriot Act And Cloud Computing?

July 10, 2012 Off By Hoofer
Zerto Banner
Grazed from CloudTweaks.  Author: Florence de Borja.

Whether Canadians like it or not, they are affected by the US Patriot Act. While some of the previous issues have been settled already, some new issues are already popping up – issues with cloud computing. The US Patriot Act, otherwise known as the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, was passed after the World Trade Center attack in September 2011.

The law provided a way for US law enforcement agencies to seize business records and block electronic communications. Under this law, any law enforcement official can ask an electronic communication service provider to provide them with information without first letting the affected organizations or individuals know. By issuing a National Security Letter, the service provider can easily hand over any information…

In section 215 of the Act, the Federal Bureau of Investigation (FBI) can ask a federal judge to issue an order which requires parties to produce any tangible items so that the FBI can investigate any clandestine intelligence or international terrorism activities. Said provision is also believed to cover electronic business records. Because of cloud computing, any data from Canada can be mixed with other data from across the globe and housed in a datacenter which is located in the United States of America. As a result, Canadian data can be accessed by the US because it is under the jurisdiction of the USA and, as such, subject to US law. This can pose a Canadian privacy dilemma because under the privacy laws of the Canadian federal and provincial states, any organization which collects data is primarily responsible for data security. Such responsibility is even included in the privacy policy of the organization, as well as in the terms of service or contract.

Canadian organizations themselves are not precluded from tapping cloud services based in the USA if they are only servicing the private sector. The privacy laws of Canada do not prohibit any personal information transfer for storage and processing as long as the said transfer doesn’t make use of the personal information in any manner which wasn’t agreed upon by the organization and its clients; the organization maintains accountability for the personal information protection; the organization will provide the same level of data security as is required by Canadian law; and the said arrangement is disclosed to the client.

In 2009, the Office of the Privacy Commissioner of Canada conducted a survey, which compared Canadian surveillance laws with those of France, the UK, and the US. From 1990 up to the present, the US and Canada have had a Treaty on Mutual Legal Assistance in Criminal Matters wherein both countries have committed to helping each other with criminal investigations – even the Canadian Security and Intelligence Service Act issues secret warrants for the seizure and interception of electronic data. Communications relating to foreign parties can be intercepted by the Canadian Communications Security Establishment upon the order of the Minister of Defense, acting on the powers provided to the minister by the National Defense Act. The Criminal Code of Canada also allows electronic data seizures.

However, when an organization is servicing the public sector in Nova Scotia or British Columbia, it must seek legal advice. There are laws in Alberta, Nova Scotia, and British Columbia which prohibit data storage outside Canada.