Key contact: Antoine Hamel Rancourt
The term “cloud computing” does not designate a specific technology, but a new method for accessing and utilizing computer-based resources or services.
From a legal standpoint, using information-technology (IT) services based on a cloud-computing model where documents of a confidential nature are communicated or transferred for processing or storage requires an analysis of several issues involving the secure management of information and the protection of personal information (PI).
In Québec, the legal framework for these issues is provided by the Act to Establish a Legal Framework for Information Technology, (“ELFIT”)1 the statutes on the protection of PI in both the public sector (the Act respecting access to documents held by public bodies and the protection of personal information) (ADPPPI)2 and in the private sector (the Act respecting the protection of personal information in the private sector) (PPIPS)3 and by certain statutes that apply to specific spheres of activity4.
The act regarding the legal framework for IT
The provisions of ELFIT impose on organizations in Québec the obligation to expressly disclose the nature of any confidential document it entrusts to a service provider and ensure that measures or processes are implemented to guarantee the security of such documents. While those provisions have yet to be judicially interpreted, their wording implies that more is required than the standard contractual reference to “industry best practices”.
ELFIT also deals with the transmission of confidential documents5, specifying that the confidentiality of the transmitted documents must be preserved by a means appropriate to the mode of transmission, and that the means used (such as encryption) must be documented.
The statutes on the protection of personal information
Like the federal legislation6, both of the Québec statutes on the protection of PI refer to the possibility for an organization to use the services of a third party for handling documents containing PI. The statute that applies to the public sector also creates the obligation for the organization to conclude a written contract that specifies the applicable provisions of that statute and provides for measures to preserve the confidentiality of the PI and for obtaining confidentiality agreements. As for the statute applicable to the private sector, Québec’s access to information commission [Commission d’accès à l’information] has interpreted it to require the conclusion of a written contract as well7.
The two Québec statutes also provide for the possibility of using a service provider whose facilities are located outside Québec for the purposes of storing, using or communicating an organization’s information, without the organization having to obtain the specific consent of the persons whose PI is involved. However, the relevant sections provide that the organization must ensure that such PI is protected to the same degree as that contemplated by the relevant provisions of the statute applicable to the private sector or, in the case of public bodies, by those of the ADPPPI.8
In our view, this obligation may be satisfied by reviewing the legal framework for the protection of PI in the jurisdiction of the foreign service provider, in order to determine first of all whether such a framework exists, and if so whether it recognizes the right to privacy and the principle of the confidentiality of PI, and whether it contains provisions that are incompatible with the Québec statutory regime.9
Rights of access of government authorities
In the case of the United States of America, the aforementioned review must focus more specifically on both recognition of privacy rights and the extent to which the government has the right to access PI. The purpose of this particular review is to determine whether the government’s access rights are such that a Québec organization would conclude that information entrusted to an American service provider would not have the same degree of protection as that afforded by Québec law, or whether, on the contrary, the potential exercise of those access rights can be likened to a situation where information is communicated to “a body responsible for the prevention, detection or repression of crime or statutory offences” within the meaning of the exceptions under the Québec statutes.
While the U.S. constitution recognizes the right to privacy, that right can generally only be invoked by American citizens. Moreover, the protection of PI in the private sector is not provided by any statute of general application, but by statutes applicable to specific spheres of activity. Among these, the Electronic Communication Privacy Act10 recognizes that users of telecommunications services are entitled to an expectation of privacy and imposes non-disclosure obligations on service providers.
However, the U.S. statutes giving government authorities access powers supersede and negate those non-disclosure obligations. Since 2001, the Patriot Act has often been identified as constituting a risk of unauthorized disclosure of PI, which argues against using American service providers or having business relationships with them.
In addition, the access rights afforded to U.S. authorities must be compared with those available to their Canadian counterparts since the adoption, in December 2001, of the Anti-terrorism Act11. That statute entailed the amendment of several other statutes, including the Criminal Code, so as to expand the scope of the powers given to government authorities responsible for preventing, detecting or repressing crime or statutory offences. Today, various federal statutes give Canadian governmental authorities rights to intercept and seize data that are similar to those granted under U.S. statutes.12
Despite the similarity of the access powers granted pursuant to the U.S. and Canadian statutes, there can be a significant difference in how they are interpreted and applied13. The documents made public by Edward Snowden in 2013 reveal the extent of the authorizations granted by the Foreign Intelligence Surveillance Tribunal and of the surveillance operations conducted pursuant to the powers given to U.S. authorities. It must be said in this regard that the extent of the surveillance and information-gathering undertaken by U.S. authorities appears to have greatly exceeded that which could have been anticipated in light of the actual wording of the applicable statutes.14
As for the situation in Canada, we do not have sufficient information regarding the extent of existing surveillance operations. Some documents made public in 2013 do however indicate the degree of collaboration that exists among the respective authorities of the member countries of the “Five Eyes” (Canada, the U.S., Great Britain, Australia and New Zealand) and reveal that Canada cooperatively engaged in the surveillance of electronic communications during the G-20 summit held in Canada in 201015.
Last year’s revelations argue in favour of an analysis of the sensitivity of documents that could potentially be entrusted to a third-party service provider and the security mechanisms available to Québec organizations. The need for such a legal analysis does not of course rule out examining the advisability of using cloud-computing services after performing a proper risk analysis. As in any circumstances, Québec organizations should take the time to determine the degree of sensitivity of the categories of documents that could potentially be outsourced, to scrutinize the profile of the service provider and the security measures it proposes to implement and the impact of notifying the persons whose PI will be transferred16.
__________
1 CQLR, c. C-1.1
2 CQLR, c. A-2.1
3 CQLR, c. P-39.1
4 See also the provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) regarding transborder transfers for private-sector organizations. The Organizations in the Province of Québec Exemption Order (SOR/2003-374)issued pursuant to section 26(2) of PIPEDA renders Part 1 of PIPEDA inapplicable “in respect of the collection, use and disclosure of personal information that occurs within the Province of Québec”. In the Guidelines for Processing Personal Data Across Borders, the Office of the Privacy Commissioner of Canada expressly states that “organizations not governed by PIPEDA for commercial activities within a province need to be aware that PIPEDA applies to transborder transfers”.
5 Section 34. For an exhaustive analysis of the provisions on transmission, see Patrick Gingras and Jean-François De Rico, “La transmission des documents technologiques”, in Actes de la XXe conférence des juristes de l’État, Cowansville, Yvon Blais, 2013, p. 409.
6Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, s. 5 and Schedule I, principle 4.1.3
7Deschesnes v. Groupe Jean Coutu, [2000] CAI 216, EYB 2000-17899
8 It should be noted that the final paragraph of s. 17 of the PPIPS and s. 70.1 of ADPPPI are the result of amendments made to these statutes in 2006. While at the time of the tabling and adoption of the amending statute the debates surrounding the Patriot Act were underway, the approach of the federal Privacy Commissioner was known, and parliamentarians were referring directly to the impugned statute, neither s. 17 nor s. 70.1 imposed a specific obligation to perform a legal analysis. Moreover, an examination of the transcript of the debates in the National Assembly on the section of Bill 86 that led to the introduction of s. 70.1 and the final paragraph of s. 17 indicates that some opposition members of the legislative commission wished to avoid the possibility of U.S. authorities accessing PI held by Québec organizations and to thwart the Patriot Act. However, the wording of ss. 17 and 70.1 that was eventually adopted does not suggest that the Québec legislature intended to prohibit the use of American service providers or other service providers using facilities in the U.S. or having a place of business there.
9 For a thorough analysis, see Jean-François De Rico, “L’infonuagique, la protection des renseignements personnels et les droits d’accès des gouvernements” in Bulletin Technologies de l’information – En bref, Yvon Blais, January 2014. In the event that the applicable legislation does not contain incompatible provisions, the services contract should stipulate the necessary undertakings for supplementing any lacunae in the local law, and specify the service provider’s obligations regarding the protection of PI and the preservation of the confidentiality of the documents entrusted to it.
10 Regarding this statute, see U.S. Internet Service Provider Association, “Electronic Evidence Compliance – A Guide for Internet Service Providers”, (2003) 18 Berkeley Tech. L.J. 945.
11An Act to amend the Criminal Code, the Official Secrets Act, the Canada Evidence Act, the Proceeds of Crime (Money Laundering) Act and other Acts, and to enact measures respecting the registration of charities, in order to combat terrorism, S.C. 2001, c. 41 (the “Anti-terrorism Act”).
12Criminal Code; Canadian Security Intelligence Service Act; Security of Information Act; National Defence Act; Mutual Legal Assistance in Criminal Matters Act. For a thorough analysis, see Jean-François De Rico, “L’infonuagique, la protection des renseignements personnels et les droits d’accès des gouvernements”, in Bulletin Technologies de l’information – En bref, Yvon Blais, January 2014.
13 On January 17, 2014, the President of the United States published a directive announcing the intention to review the framework for surveillance powers with a view to better protection of privacy: http://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activities
14 Regarding the revelations of Edward Snowden and the surveillance programs disclosed, see the excellent website put together by The Guardian:http://tinyurl.com/nv8dbgu (consulted on January 5, 2014).
15 Greg Weston, Glen Greenwald and Ryan Gallagher, New Snowden docs show U.S. spied during G20 in Toronto, November 27, 2013 (http://www.cbc.ca/news/politics/new-snowden-docs-show-u-s-spied-during-g20-in-toronto-1.2442448). The document: http://www.cbc.ca/news2/pdf/summit-doc.pdf (consulted on January 3, 2014)
16 See in particular Cloud Security Alliance, Security Guidance for Critical Areas of Focus in Cloud Computing, v. 3.0, CSA, 2011; European Network And Information Security Agency (ENISA), Cloud computing – Benefits, risks and recommendations for information security, ENISA, November 2009.