PIPEDA: Reading the tea leaves
In 2000, the Privacy Commissioner in Canada passed the Personal Information Protection & Electronic Documents Act (PIPEDA). It sets out the legal rules for collecting and storing (read: protecting) personal information on Canadians.
Separately, in its Department of Homeland Security response to the terrorist attacks of 9/11, the US government expanded its power to subpoena data with the “Patriot Act”. The US government can subpoena data from companies and gag them from even notifying account holders. The public doesn’t know how often this happens, but we do have a high profile example in the news right now: Twitter Shines a Spotlight on Secret F.B.I. Subpoenas.
Since these two legal frameworks were established, cloud computing has became broadly accepted, thanks in part to excellent platforms like Amazon Web Services. None of the major cloud platforms have data centers in Canada, which means there is a potential collision between PIPEDA and US law that would complicate cloud usage for services that collect and store Canadian consumer data.
Should Canadian companies be nervous about storing data in cloud providers in the US? I turned up no definitive answer, but here’s some interesting tidbits from the Canadian government.
- “PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing.”
“In an investigation into a complaint involving outsourcing to a U.S. firm by CIBC Visa, the OPC found CIBC to be in compliance with PIPEDA.”–Guidelines for Processing Personal Data Across Borders
- “PIPEDA does not hinder our global economy. In fact, the legislation itself states that it is intended to support and promote electronic commerce by protecting personal information.”
“The organization needs to use contractual or other means to provide a level of protection comparable to PIPEDA while the information is being processed by a third party.”–Canadian Federal Privacy Legislation: The First Ten Years (Sept 2010)
Sounds like some wiggle room to me. Executives need to weigh the risk of being sued in Canada (as CIBC Visa was sued in 2004) against the significant reward of moving their systems into the cloud.
CentriLogic, a cloud/hosting company, is trying to capitalize on the situation. Their marketing pitch, writ large in all-caps on their homepage: Do you know where your cloud servers are?
Unfortunately, the CentriLogic platform is nowhere near competitive with Amazon’s, which continues to impress me with frequent and significant upgrades. (AWS is this CTO’s dream come true!)
How can Canada-focused companies deliver consumer products and services on a par with their US counterparts if they can’t leverage modern cloud platforms?