Monday, April 28, 2014

Data location doesn't matter: US Federal Judge

In a decision that should not come as a big surprise, a US Federal Court judge has determined that the location of data under Microsoft's custody is not relevant. If Microsoft can produce it, it is required to do so.

As reported in Computerworld, the decision relates to a search warrant that directed Microsoft to produce the contents of one of its customer’s e-mails, where that information is stored on a server located in Dublin, Ireland. Microsoft contended that courts in the US cannot issue warrants for extraterritorial search and seizure, but the judge denied Microsoft's motion to quash the warrant. It argued, in part, that a US court can't issue a search warrant for premises outside of the United States so they should not be able to do so virtually.

However, the Court found that these orders may look like search warrants but they are more like subpoenas. They order an American company to do something entirely in the Unites States:

But the concerns that animate the presumption against extraterritoriality are simply not present here: an SCA Warrant does not criminalize conduct taking place in a foreign country; it does not involve the deployment of American law enforcement personnel abroad; it does not require even the physical presence of service provider employees at the location where data are stored. At least in this instance, it places obligations only on the service provider to act within the United States....

This case, for some Canadian readers will be reminiscent of the Canadian Federal Court decision in eBay Canada Ltd. v. M.N.R., 2008 FCA 348, where the Court ordered eBay in Canada to turn over information about Canadian "powersellers" regardless of the fact that the data was not within the territorial jurisdiction of the Court.

Microsoft is appealing this decision, but for now it stands for the proposition that the location of data is largely irrelevant in determining whether a government can order it to be turned over. The location or nationality of the custodian is much more relevant.

Monday, March 31, 2014

Charmaine Borg MP introduces private members bill to add breach notification to the federal Privacy Act

Charmaine Borg, the NDP's digital issues critic and the most activist MP in the area of privacy has tabled Bill C-580 to update the federal Privacy Act to require breach notification and a mandatory 5-year review of the Act. More info here: LEGISinfo - Private Member’s Bill C-580 (41-2).

In the wake of so many privacy breaches by federal government departments, I can get onboard with this.

Friday, March 28, 2014

Cloud Computing FAQ for Canadian In-house Counsel

The Canadian Corporate Counsel Association Magazine (CCCA Magazine) Spring 2014 edition had a strong focus on privacy, "Managing your Privacy Risk: An In-house Guide." The edition included a version of my Cloud Computing and Privacy FAQ, focused at in-house counsel. Click the image (or here) to get the full article:

Wednesday, January 22, 2014

Microsoft to agree to local storage of foreign users' data

According to the Financial Times, Microsoft is going to break from the pack of other cloud service providers by agreeing to store data locally. FT.com content is behind an annoying paywall, but here's the gist of it along with some commentary.

Microsoft to shield foreign users’ data - FT.com

By James Fontanella-Khan in Brussels and Richard Waters in San Francisco

Microsoft will allow foreign customers to have their personal data stored on servers outside the US, breaking ranks with other big technology groups that until now have shown a united front in response to the American surveillance scandal.

Brad Smith, general counsel of Microsoft, said that although many tech companies were opposed to the idea, it had become necessary following leaks that showed the US National Security Agency had been monitoring the data of foreign citizens from Brazil to across the EU.

“People should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides,” he told the FT. ...


This decision seems to be based on (or appealing to) the fiction that the location of data is somehow determinative of whether law enforcement or national security folks can get access to data. As I said, it's mostly a fiction. Governments can assert control over things, or people, or entities on a number of bases. One of them is the presence of the thing (a server) in the physical jurisdiction, but most importantly is the presence of the person who can obtain and hand over the data.

... Some critics of the idea have questioned whether such a move would be effective in putting the personal data of non-Americans outside the reach of the NSA, since US tech companies have to hand over information about specific users when ordered to by a secret US court, regardless of where it is held.

However, keeping the information off US soil and under local data protection rules should make it harder for the NSA to tap into illicitly, Mr Chester said. “If the data are not being transported, then it does stop that kind of access.” ...


While this isn't really a solution to the principal problem that many people associate with the USA Patriot Act and the FISA Amendments Act, it may be an economically rational decision since many customers will only ask where the data is, rather than what it really means.

Mr Smith acknowledged that it would be expensive but added “does it mean that you ignore what customers want? That’s not a smart business strategy.” ...

I do agree, however, that the big question which is the driver behind all of this needs to be addressed at a government-to-government level.

Mr Smith also said that the US and EU should consider signing an international agreement that ensures they will not try to seek data in each other’s territory via technology companies.

“If you want to ensure that one government doesn’t seek . . . to reach data in another country, the best way to do it is . . . an international agreement between those two countries. Secure a promise by each government that it will act only pursuant to due process and along the way improve the due process.”

He argued that the existing “Mutual Legal Assistance Treaty” mechanism used by the US and EU to protect individuals’ rights from the two blocs is outdated: “It needs to be modernised or replaced.”

Tuesday, January 14, 2014

Privacy Commissioner of Canada offers outsourcing guidance

Today, the Office of the Privacy Commissioner of Canada posted a "Fact Sheet: Privacy and Outsourcing", which leads to two resources depending on whether you're looking at the public sector (Privacy Act) or the private sector (PIPEDA).

The fact sheets are mostly a collection of useful links and resources, though there are some general statements. The one the I find most interesting is the following:

Organizations need to make it plain to individuals that their information may be processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that jurisdiction. They must do this in clear and understandable language. Ideally they should do it at the time the information is collected. Once an informed individual has chosen to do business with a particular company, they do not have an additional right to refuse to have their information transferred.

When personal information is in the hands of a third-party service provider operating on foreign soil, it is subject to the laws of that country and no contract can override that. This could mean, for instance, that the organization may be obliged to respond to a subpoena or other mechanism that would give law enforcement officials access to personal information.


This has consistently been the position of the OPC, starting with a PIPEDA finding from 2005 when the Commissioner said that a bank should (not must) advise customers that the processing of data will be outsourced to a US service provider. I have to note, though, that PIPEDA doesn't contain any actual obligation to provide such notice. So I'm not sure where the obligatory language from the OPC's new fact sheet comes from.

In any event, the fact sheets do provide useful information about the OPC's take on cross-border outsourcing.