As a lawyer setting up a sole practice after many years with a Firm, I have had to read about technology recently. A lot. One topic on which so much has been written is Cloud computing and concerns for Canadian lawyers raised by the PATRIOT Act. A simple search of SLAW alone lists 53 articles touching on this topic.
This is the situation as far as I have been able to cobble it together.
The PATRIOT Act is intended to simplify the US government’s access to business records for intelligence gathering permitting quicker, easier access to otherwise confidential records and other information without the need to demonstrate probable cause or for an administrative subpoena (both of which were previously required to gain such access).
Typically Cloud computing services physically store data in the US.
Canadian information physically located on US soil which would be required to be kept confidential under Canadian laws (PIPEDA) is
exposed to compulsory disclosure to, or seizure by, US government officials on demand, with no opportunity for our government or the affected Canadian organization or individual to have any notice or input into such disclosure. (The US Act explicitly prohibits disclosure of the specifics of the order for such disclosure and therefore it is unlikely that the affected Canadian organization or individual would even be aware the disclosure had taken place.)
Such disclosure in the US could mean the Canadian law firm has breached Canadian privacy legislation.
Article 5.7 of the LSUC Practice Management Guidelines (which emphasizes that it is no more than a guideline) states lawyers must “develop and maintain an awareness” of how to minimize risks of disclosures, “use reasonably appropriate technical means” to minimize these risks, and should “offer reasonable protection against inadvertent” disclosure.
But what are the reasonable precautions Ontario lawyers should use? Is such due diligence even feasible? (See David Whenlan’s SLAW piece 7 March 2012 here.)
Are Ontario lawyers who use Cloud computing services that store data in the US blithely breaching their obligations?
Anyone out there got the answer?