Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
1. Cloudy with a Chance of
Privacy Compliance
Cross Border Data Flows; Multi National Cloud
Environments
PRESENTATION OCTOBER 5, 2012 3rd Annual Privacy, Access and Security Congress
David Elder
Stikeman Elliott LLP
STIKEMAN ELLIOTT LLP www.stikeman.com
2. Transborder Data Flows
A key element to privacy policy approaches and
guidelines since the early days of “the information
society”
Should ensure protection, security of data
Should avoid using privacy laws as trade barriers
Where laws in two or more countries offer comparable
privacy safeguards, information should be able to flow
freely between them
Where no reciprocal safeguards, limits on transfers
should go only so far as required to protect privacy
SLIDE 1 STIKEMAN ELLIOTT LLP
3. European Data Protection Directive
Allows transfer between Member States
Data can be transferred outside the EU only where
continued protection guaranteed or certain exemptions
apply
“Adequacy” assessed based on range of factors, can be
at country level or company level (based on “Safe
Harbour” commitment)
Can also transfer to companies in “inadequate”
countries, where transfer governed by EC standard
contractual clauses
SLIDE 2 STIKEMAN ELLIOTT LLP
4. The Dark Side of the Cloud
Out of your control
Insufficient information about cloud operations
Dispersed, complex, multiple players
Co-mingling with others’ data may raise issues:
segregation; auditability; exposure to other’s
vulnerabilities; notification delays where breaches
Potential access by foreign states
Focus on low cost, efficiency may mean
– One-size fits all service, reluctance to customize
– Security as a secondary focus?
SLIDE 3 STIKEMAN ELLIOTT LLP
5. Nothing New Under the Sun
Control
Company Outsource Offshore Cloud
Risk
SLIDE 4 STIKEMAN ELLIOTT LLP
6. Private Sector Privacy
PIPEDA
PIPA (B.C.)
PIPA (Alberta)
NUNAVUT
Quebec Privacy Act
YUKON
NORTHWEST
TERRITORIES
NEWFOUNDLAND
BRITISH QUEBEC
COLUMBIA MANITOBA
ALBERTA
PEI
ONTARIO
SASKATCHEWAN NOVA SCOTIA
NEW BRUNSWICK
SLIDE 5 STIKEMAN ELLIOTT LLP
7. Key Privacy Obligations & Challenges
Obligations Cloud Challenges:
Accountability How to maintain control,
visibility?
Organization responsible for
personal info it collects, even Difficult to audit if widely
when transferred to 3rd parties dispersed, co-mingled
Consent Can be need for explicit
consent to storage/processing
Knowledge and consent outside Canada, due to foreign
required for the collection, use legal jurisdictions
and disclosure of personal
information Consent to cloud itself?
SLIDE 6 STIKEMAN ELLIOTT LLP
8. Key Privacy Obligations & Challenges
Obligations Cloud Challenges:
Limiting Use, Disclosure, Uncertainty won’t be
Retention mined/used for other purposes
To be used solely for identified Uncertainty of retention
purpose periods, foreign requirements?
To be retained only as long as Right to destroy, delete, have
necessary to fulfil purposes, returned
then returned or destroyed
Access & Accuracy
Ensure individual will have
Right of access access
Right to correct Ensure can quickly correct
incomplete or inaccurate data
SLIDE 7 STIKEMAN ELLIOTT LLP
9. Key Privacy Obligations & Challenges
Obligations Cloud Challenges
Security Tendency to one-size-fits all
Security safeguards appropriate Cloud makes security decisions -
to sensitivity of personal info not you
Cloud unaware of sensitivity of
info
Breach Notification
Need to be advised of cloud
Advise Privacy Commissioner(s), breach
individuals/customers
How to define what notifiable
Need cooperation, up-to-minute
details
Could be many cloud users
affected
SLIDE 8 STIKEMAN ELLIOTT LLP
10. Other Legal Obligations
OSFI Guidelines on Outsourcing of Business Activities,
Functions and Processes
In accordance with federal legislation, certain records
should be maintained in Canada, OSFI access ensured
Tendency to overly conservative approach?
Requires audit and access rights over service provider
(for institution and OSFI)
Requires detailing physical data storage locations
SLIDE 9 STIKEMAN ELLIOTT LLP
11. Guidelines for Processing Personal Data Across Borders
Apply to private sector only
Accountability principle is key
Be transparent
Actual safeguards can vary, based on inherent sensitivity
of data, potential risk of unauthorized disclosure or
access (and cost?)
Third party should have clear and reliable security
policies, consistent training program for staff
Audit rights help, but difficult to execute – likely more a
deterrent
SLIDE 10 STIKEMAN ELLIOTT LLP
12. Guidelines for Processing Personal Data Across Borders
Most fundamentally, organizations should be selective in
choosing foreign service providers, cloud providers
Should pay particular attention to legal/political regimes
in which third party operates
Economic and social conditions may also be relevant
Clarity, transparency, security, careful location selection
can be a competitive advantage for organizations and
third party service providers – and particularly for cloud
providers
SLIDE 11 STIKEMAN ELLIOTT LLP
13. EC Standard Contractual Clauses
Data importer agrees and warrants:
Will process only for purposes directed by exporter
Applicable laws no barrier to fulfilling obligations
Has implemented specified technical & operational security
measures
Will respond to exporter inquiries and submit to audit
Will promptly notify re:
– LEA demand for disclosure (unless prohibited)
– Breach
– Access request by subject
– Sub-contracting (& get consent, bind to safeguards)
SLIDE 12 STIKEMAN ELLIOTT LLP
14. Standards & Certifications
Independent certification by reputable 3rd pary
Audit against recognized standard: ISO, PCI, etc.
Some regulators have recognized as legitimate approach
Some process/governance related; some about
physical/technical measures
Registries also useful, but less so – good initial step, will
facilitate comparisons, drive privacy/security as a
competitive attribute
SLIDE 13 STIKEMAN ELLIOTT LLP
15. “Accountability, rather than geographical limits, is the
basic model for Canadian data protection. This model
brings the advantages of flexibility and low compliance
overhead for corporations whose profits derive from
innovation. But accountability also means that use of
Canadian’s personal information must meet Canadian legal
standards, wherever in the cloud this may be happening.”
Jennifer Stoddart, 2009
SLIDE 14 STIKEMAN ELLIOTT LLP
16. I Can See Clearly Now
Not for everyone
Choose your provider very carefully
Look for standards, certifications
Bake key terms, levels, guarantees into contract:
– Security practices and requirements
– Breach/investigation response
– Audit
– Liability, indemnity
– Subcontracting control
SLIDE 15 STIKEMAN ELLIOTT LLP