Most companies now use cloud computing as the model to store or access information and computer applications. For companies that handle sensitive data that is subject to export controls and/or controlled goods regulations, the use of such a technology model raises specifi c compliance issues. We explain below some of these questions and then propose some avenues to mitigate the risks.
As the use of cloud computing is becoming the norm, and as various authors have proposed elaborate defi nitions of the notion of “cloud computing”, we will not expand on the subject. Suffi ce to say for our purposes that the service provider, in the cloud computing model, makes available to the users the infrastructure required for storing and accessing data, software applications and computer processing. The infrastructure consists of many computers and applications spread out in different locations.
We will not expand either on the applicable Canadian export control rules, assuming that the readers are familiar with such rules. We would like to emphasize, however, that Canada has its own set of rules regarding the export of sensitive data and technology. Such rules are in theory distinct from the US ones, and can essentially be divided into two main regimes: (1) the export control regime established under the Export and Import Permits Act and the Export Control List and Area Control list, and (2) the controlled goods regime under the Defence Production Act, which allows the making of regulations regarding “controlled goods”, i.e. certain strategic goods included in the Export Control List and data related thereto. The Controlled Goods Regulations essentially defi ne persons authorized to examine, possess or transfer controlled goods and set out the conditions for handling controlled goods. They require anyone who examines, possesses or transfers controlled goods and/ or controlled technology within Canada to register for controlled goods access (with some exemptions).
The use of a cloud computing infrastructure involves the transfer of data, some of which may be controlled. The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) has addressed some of the US export compliance issues raised by cloud computing from the perspective of the service provider. In essence, the BIS has stated, in two advisory opinions, that the service of providing computational capacity through grid or cloud computing is not subject to the Export Administration Regulations (EAR), since the service provider is not shipping or transmitting any commodity, software or technology subject to the EAR to the user.
The issues for the user, however, still remain unaddressed. There is in fact no panacea for the issues raised by cloud computing from the perspective of companies that handle sensitive data. Just like in most compliance matters, the solutions lie in awareness, planning and monitoring. We analyze below three scenarios in which Canadian companies can fi nd themselves. One must bear in mind that the possible scenarios are infi nite and that each situation must be analyzed differently, depending on the specifi c facts. For example, we assume that all employees of the Canadian company access the cloud provider’s servers from a Canadian location; if this is not the case, companies might have to simultaneously comply with export, reexport and controlled goods issues. We do not address either the transfer of U.S.-origin technology, using the U.S. servers, nor the use of a server outside Canada or the United States to process, and store data or software macros. In such a case, the user may have some obligation to comply with EAR and the International Traffi c in Arms Regulations (ITARs), and/or with the export regulations of the country or countries in which the servers reside. The analysis of each such possible scenario is beyond the scope of this paper.
The fi rst scenario we will examine is one where the user is in Canada, and the service provider resources are in the United States. If the servers of the “cloud” are located solely in the United States, the transmission of data to the cloud – for example by saving a fi le on the server – will constitute an export. However, as Canadian export permits are not required for most controlled goods or technology destined to a fi nal consignee in the United States, the user will not have to pose any specifi c action to ensure compliance. For specifi c items that do require an export permit (i.e. some items on the Munitions List, the Missile Technology Control Regime List and the Chemical and Biological Weapons Non-Proliferation List, as well as all items on the Nuclear Non-Proliferation List and on the Nuclear-Related Dual-Use List), the company must submit an export permit application to the Canadian Export Controls Division. It must also be noted that the transfer of data that transits the U.S. to third destinations do not benefi t from the export permit exemption. The user who uses the cloud to store data that is specifi cally designed for military uses should however be aware that such data may become ITAR-controlled as a result of it being modeled in the United States and stored on a U.S. server.
This leads us to the second scenario, which involves a service provider whose resources are in multiple countries. Just as in the previous scenario, the transmission of data to the cloud will constitute an export. However, unlike the situation where all servers are in the United States, export permits would be required, just as for any other electronic export of technology or software.
Finally, the third scenario assumes that the service provider resources are in Canada. Although this may seem like the most straightforward situation, it must be remembered that in-country transfers of controlled goods is subject to the Canadian Controlled Goods Regulations and to ITAR re-export controls. Certain steps are required to ensure compliance. These include registering under the controlled goods program, maintaining and implementing a security plan and training program, etc. The company should also ensure that the locations of the servers are registered under the Controlled Goods program. Also, as per a recent rule published by the U.S. Directorate of Defense Trade Controls of the U.S. Department of State (DDTC/ DOS), Canadian companies who handle ITAR items and information and who employ dual nationals and third-country nationals must obtain DDTC/DOS approval under the ITAR and screen their employees to make sure that they do not pose a risk of “diversion of such articles to unauthorized end-users.” Such rules, however, apply whether or not the company uses cloud computing.
A Canadian company that uses cloud computing may mitigate the risks in a few ways. First of all, it shall properly identify controlled technology and be sensitive to the data that it loads on the servers. If the company knows that some of the data may be controlled, and if the servers are located outside Canada, the easiest solution may be to segregate the information and keep it on a local server. Firewalls should be put in place to restrict access from outside of Canada. If a service provider is involved, some assurances of the location of the servers and security measures may have to be obtained, as well as an export permit if and when required. As for any compliance program, planning and training are keys.
Cloud computing does not create new legal issues, but it multiplies the risk of non-compliance with existing rules, including those that relate to exports. The issues relating to privacy issues are another example of non-compliance risk exacerbated by cloud computing. Companies must put in place processes and policies to prevent the risks, taking into consideration their specifi c objectives and constraints. Getting proper technical and legal advice in putting such rules in place is essential.