The term “cloud computing” does not designate a specific technology, but a new method for accessing and utilizing computer-based resources or services.
From a legal standpoint, using information-technology (IT) services based on a cloud-computing model where documents of a confidential nature are communicated or transferred for processing or storage requires an analysis of several issues involving the secure management of information and the protection of personal information (PI).
In Québec, the legal framework for these issues is provided by the Act to Establish a Legal Framework for Information Technology, (“ELFIT”)1 the statutes on the protection of PI in both the public sector (the Act respecting access to documents held by public bodies and the protection of personal information) (ADPPPI)2 and in the private sector (the Act respecting the protection of personal information in the private sector) (PPIPS)3 and by certain statutes that apply to specific spheres of activity4.
The act regarding the legal framework for IT
The provisions of ELFIT impose on organizations in Québec the obligation to expressly disclose the nature of any confidential document it entrusts to a service provider and ensure that measures or processes are implemented to guarantee the security of such documents. While those provisions have yet to be judicially interpreted, their wording implies that more is required than the standard contractual reference to “industry best practices”.
ELFIT also deals with the transmission of confidential documents5, specifying that the confidentiality of the transmitted documents must be preserved by a means appropriate to the mode of transmission, and that the means used (such as encryption) must be documented.
The statutes on the protection of personal information
Like the federal legislation6, both of the Québec statutes on the protection of PI refer to the possibility for an organization to use the services of a third party for handling documents containing PI. The statute that applies to the public sector also creates the obligation for the organization to conclude a written contract that specifies the applicable provisions of that statute and provides for measures to preserve the confidentiality of the PI and for obtaining confidentiality agreements. As for the statute applicable to the private sector, Québec’s access to information commission [Commission d’accès à l’information] has interpreted it to require the conclusion of a written contract as well7.
The two Québec statutes also provide for the possibility of using a service provider whose facilities are located outside Québec for the purposes of storing, using or communicating an organization’s information, without the organization having to obtain the specific consent of the persons whose PI is involved. However, the relevant sections provide that the organization must ensure that such PI is protected to the same degree as that contemplated by the relevant provisions of the statute applicable to the private sector or, in the case of public bodies, by those of the ADPPPI.8
In our view, this obligation may be satisfied by reviewing the legal framework for the protection of PI in the jurisdiction of the foreign service provider, in order to determine first of all whether such a framework exists, and if so whether it recognizes the right to privacy and the principle of the confidentiality of PI, and whether it contains provisions that are incompatible with the Québec statutory regime.9
Rights of access of government authorities
In the case of the United States of America, the aforementioned review must focus more specifically on both recognition of privacy rights and the extent to which the government has the right to access PI. The purpose of this particular review is to determine whether the government’s access rights are such that a Québec organization would conclude that information entrusted to an American service provider would not have the same degree of protection as that afforded by Québec law, or whether, on the contrary, the potential exercise of those access rights can be likened to a situation where information is communicated to “a body responsible for the prevention, detection or repression of crime or statutory offences” within the meaning of the exceptions under the Québec statutes.
While the U.S. constitution recognizes the right to privacy, that right can generally only be invoked by American citizens. Moreover, the protection of PI in the private sector is not provided by any statute of general application, but by statutes applicable to specific spheres of activity. Among these, the Electronic Communication Privacy Act10 recognizes that users of telecommunications services are entitled to an expectation of privacy and imposes non-disclosure obligations on service providers.
However, the U.S. statutes giving government authorities access powers supersede and negate those non-disclosure obligations. Since 2001, the Patriot Act has often been identified as constituting a risk of unauthorized disclosure of PI, which argues against using American service providers or having business relationships with them.
In addition, the access rights afforded to U.S. authorities must be compared with those available to their Canadian counterparts since the adoption, in December 2001, of the Anti-terrorism Act11. That statute entailed the amendment of several other statutes, including the Criminal Code, so as to expand the scope of the powers given to government authorities responsible for preventing, detecting or repressing crime or statutory offences. Today, various federal statutes give Canadian governmental authorities rights to intercept and seize data that are similar to those granted under U.S. statutes.12
Despite the similarity of the access powers granted pursuant to the U.S. and Canadian statutes, there can be a significant difference in how they are interpreted and applied13. The documents made public by Edward Snowden in 2013 reveal the extent of the authorizations granted by the Foreign Intelligence Surveillance Tribunal and of the surveillance operations conducted pursuant to the powers given to U.S. authorities. It must be said in this regard that the extent of the surveillance and information-gathering undertaken by U.S. authorities appears to have greatly exceeded that which could have been anticipated in light of the actual wording of the applicable statutes.14
As for the situation in Canada, we do not have sufficient information regarding the extent of existing surveillance operations. Some documents made public in 2013 do however indicate the degree of collaboration that exists among the respective authorities of the member countries of the “Five Eyes” (Canada, the U.S., Great Britain, Australia and New Zealand) and reveal that Canada cooperatively engaged in the surveillance of electronic communications during the G-20 summit held in Canada in 201015.
Last year’s revelations argue in favour of an analysis of the sensitivity of documents that could potentially be entrusted to a third-party service provider and the security mechanisms available to Québec organizations. The need for such a legal analysis does not of course rule out examining the advisability of using cloud-computing services after performing a proper risk analysis. As in any circumstances, Québec organizations should take the time to determine the degree of sensitivity of the categories of documents that could potentially be outsourced, to scrutinize the profile of the service provider and the security measures it proposes to implement and the impact of notifying the persons whose PI will be transferred16.