Last June we read with interest Zack Whittaker’s article Microsoft admits Patriot Act can access EU- based cloud data . The article focuses on the effects of the USA Patriot Act on cloud computing. Interestingly, the article states an admission made by the managing director of Microsoft UK that cloud data, regardless of where it is in the world, is not protected against the USA Patriot Act. As the data processor for cloud computing services, Microsoft, a US based company, can be compelled to hand-over data to the US authorities without any kind of prior notice or consent (even where doing so may be in contravention of other local laws in non-US jurisdictions).
This raises an interesting issue in the context of outsourcing deals where IT Managers and CIOs are constantly under pressure to deliver scalable, cost effective, “built for the future” solutions, and public cloud computing is one such IT solution offering just those features.
In the case of public cloud computing, many have argued that all data and information is potentially at risk of being disclosed under the USA Patriot Act where the cloud computing processor is US-based. Business owners need to look past the ownership and control of the information, as well as the privacy protection covenants in the outsourcing agreement, and consider how and where the information is processed and stored, and by whom. The effect of the USA Patriot Act on an outsourced transaction involving Canadian business owners and US-based service providers is nothing new. However, what is at risk of being overlooked is the back-door opening to the USA Patriot Act where non-US-based service providers are using cloud computing offered through a US-based company as part of the deal. This is where privacy protection provisions may fall short, and although they will not be effective to stop a disclosure of information under the USA Patriot Act, they could at least address the issue of damages were that to occur.
So what does this mean for business owners and service providers? Based on our review of the literature, some recommend that:
- business owners must understand their legal obligations to protect personal information and how the legal exceptions might apply to their businesses (for example, an appropriate customer consent at the time that information is collected may or may not be required). The legal obligations vary by jurisdiction – in some cases it may be enough to take reasonable steps to protect the information, even though protection cannot be guaranteed;
- business owners should assess the personal information that they are collecting and determine if they collecting too much information, or even the right information, for their business purpose;
- business owners must understand what they are representing to their customers concerning any personal information collected and whether those representations are accurate or need changing;
- the parties should consider specific contractual terms designed to address privacy in the cloud computing environment, such as early warning where legally permitted – this may mean some customization of the cloud computing contract; and
- business owners should adopt policies and procedures for dealing with unauthorized disclosure of personal information, to the extent that the disclosure becomes known to them.