The Cloud and the PATRIOT Act
As a lawyer setting up a sole practice after many years with a Firm, I have had to read about technology recently. A lot. One topic on which so much has been written is Cloud computing and concerns for Canadian lawyers raised by the PATRIOT Act. A simple search of SLAW alone lists 53 articles touching on this topic.
This is the situation as far as I have been able to cobble it together.
The PATRIOT Act is intended to simplify the US government’s access to business records for intelligence gathering permitting quicker, easier access to otherwise confidential records and other information without the need to demonstrate probable cause or for an administrative subpoena (both of which were previously required to gain such access).
Typically Cloud computing services physically store data in the US.
Canadian information physically located on US soil which would be required to be kept confidential under Canadian laws (PIPEDA) is
exposed to compulsory disclosure to, or seizure by, US government officials on demand, with no opportunity for our government or the affected Canadian organization or individual to have any notice or input into such disclosure. (The US Act explicitly prohibits disclosure of the specifics of the order for such disclosure and therefore it is unlikely that the affected Canadian organization or individual would even be aware the disclosure had taken place.)
Such disclosure in the US could mean the Canadian law firm has breached Canadian privacy legislation.
Article 5.7 of the LSUC Practice Management Guidelines (which emphasizes that it is no more than a guideline) states lawyers must “develop and maintain an awareness” of how to minimize risks of disclosures, “use reasonably appropriate technical means” to minimize these risks, and should “offer reasonable protection against inadvertent” disclosure.
But what are the reasonable precautions Ontario lawyers should use? Is such due diligence even feasible? (See David Whenlan’s SLAW piece 7 March 2012 here.)
Are Ontario lawyers who use Cloud computing services that store data in the US blithely breaching their obligations?
Anyone out there got the answer?
While certainly not an ‘answer’, this blog post (referring to his presentation) certainly suggests that in actual fact, the Canadian laws are reasonably similar to the US in terms of access to e-information. How one complies with competing legislation by various sovereign foreign entities, strikes me as not new territory, although it may be new in terms of privacy legislation.
What more surprises me is the still relatively small number of cloud service providers who have strong Canada only data centres. Although, even accessing information via the internet that is stored in Canada, certainly doesn’t guarantee that the transmission stays solely on infrastructure in Canada.
Lawyers have issues with governments accessing their practice and client data but it is not US specific nor is it because of the Patriot Act.
Like @Paul Pinkerton above, I like these slides by David Fraser from about 3 weeks ago for a brief overview. A piece on CIO.com discusses a study that found that the US Patriot Act doesn’t give any more access to cloud data than other countries. If you find a Canadian cloud provider and a US one, all other things being equal, it doesn’t seem to matter if the server is in the US or Canada.
If it’s in North America, I don’t the location is an issue. You can then apply the same purchasing and selection process you do with your locally installed technology. Shifting those decisions to the cloud just amplifies what should already be localized concerns: backup, security (passwords, encryption), availability, etc. What’s reasonable for one lawyer with one given practice may not always work for another, but I’m not sure it’s a new set of decision criteria.
Most legislation protecting civil rights is written to protect against the threat of infringement on the civil rights of a citizen by her OWN government. They do not usually cover non-citizens or protect against infringement by foreign governments. Once you separate the government doing the infringing from the citizen whose rights are being infringed, it becomes incredibly difficult to obtain a remedy through the courts.
The issue gets muddied when we talk about the Patriot Act because we tend to think of Americans as our cousins with similar interests and similar values. We also have many trade relationships and strong economic ties to the US. Perhaps the risk would be clearer if we were talking about cloud computing to servers wholly within jurisdiction of China?
I can’t speak to lawyers’ duties, but I have some material containing what our American cousins call “personally identifying information”, and can’t credibly put it into what Mina S. identifies as a regieme where I have neither guarantees nor remedies…
–dave
By the way, given the mutual assistance arrangements that exist between the law enforcement, tax and securities authorities on both sides of the border, that afford easy and continuous two way flow of law enforcement, tax and securities information, the idea that the USA Patriot Act would actually be resorted to gather information on Canadian businesses is unlikely.