PIPEDA: Reading the tea leaves

In 2000, the Privacy Commissioner in Canada passed the Personal Information Protection & Electronic Documents Act (PIPEDA). It sets out the legal rules for collecting and storing (read: protecting) personal information on Canadians.

Separately, in its Department of Homeland Security response to the terrorist attacks of 9/11, the US government expanded its power to subpoena data with the “Patriot Act”. The US government can subpoena data from companies and gag them from even notifying account holders. The public doesn’t know how often this happens, but we do have a high profile example in the news right now: Twitter Shines a Spotlight on Secret F.B.I. Subpoenas.

Since these two legal frameworks were established, cloud computing has became broadly accepted, thanks in part to excellent platforms like Amazon Web Services. None of the major cloud platforms have data centers in Canada, which means there is a potential collision between PIPEDA and US law that would complicate cloud usage for services that collect and store Canadian consumer data.

Should Canadian companies be nervous about storing data in cloud providers in the US? I turned up no definitive answer, but here’s some interesting tidbits from the Canadian government.

  • “PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing.”
    “In an investigation into a complaint involving outsourcing to a U.S. firm by CIBC Visa, the OPC found CIBC to be in compliance with PIPEDA.”–Guidelines for Processing Personal Data Across Borders
  • “PIPEDA does not hinder our global economy. In fact, the legislation itself states that it is intended to support and promote electronic commerce by protecting personal information.”
    “The organization needs to use contractual or other means to provide a level of protection comparable to PIPEDA while the information is being processed by a third party.”–Canadian Federal Privacy Legislation: The First Ten Years (Sept 2010)

Sounds like some wiggle room to me. Executives need to weigh the risk of being sued in Canada (as CIBC Visa was sued in 2004) against the significant reward of moving their systems into the cloud.

CentriLogic, a cloud/hosting company, is trying to capitalize on the situation. Their marketing pitch, writ large in all-caps on their homepage: Do you know where your cloud servers are?

Unfortunately, the CentriLogic platform is nowhere near competitive with Amazon’s, which continues to impress me with frequent and significant upgrades. (AWS is this CTO’s dream come true!)

How can Canada-focused companies deliver consumer products and services on a par with their US counterparts if they can’t leverage modern cloud platforms?

Hat tip to lawyer friends Rob Hyndman and Jonas Brandon for their perspectives as I looked into this.

  1. We use AWS here at Savvica to host LearnHub.com, StudyPlaces.com and JumboTests.com. Just curious, you mention that CentriLogic is not competitive with AWS. Can you expound on that?

  2. I meant that CentriLogic does not have a compelling platform compared to Amazon.

    First off, there’s no pricing available on their site! AWS pricing is very clear. (It needs to be, since AWS self-serve.) Everything is public and transparent. With CentriLogic, you seem to have to negotiate with a salesperson to get started. Boo!

    The breadth and depth of Amazon’s services are just so impressive… just look at their new RDS, for example. CentriLogic doesn’t seem to have anything like this. Same for Route 53, SQS, CloudFront, etc. Even well funded Amazon competitors like Google, Microsoft, and Salesforce can’t seem to match it–how could CentriLogic?

  3. David Michaud

    It is expected that some Canadian companies would want to develop cloud computing in Canada. There could be fiscal and technical advantages for a Canadian company to store domestically. As mentioned, PIPEDA (or equivalent provincial statute when exempt from PIPEDA) does not prohibit organizations in Canada from transferring personal information to an organization in another or multiple jurisdictions for processing. However, PIPEDA (or a comparable level of protection) still applies to the information which usually remains in control of the outsourcing Canadian company which needs to contractually ensure that they meet these requirements along with applicable foreign laws and regulations such as the Patriot Act. With information and all parties in Canada, therefore less foreign regulation and potential jurisdictional issues along with competitive pricing and other potential advantages, domestic cloud computing may become a viable alternative for Canadian companies.

  4. As I understand it the issue is not jurisdiction so much as being satisfied that the owner has control over the information. Its hard to imagine that a self set up server environment that happens to be in Canada would be better than the environment available at say an Amazon.

    With regard to jurisdictional complexity following from introduction of another country into the mix. This does not place any greater onus on a Canadian company to comply with PIPEDA. 100% compliance applies and that cannot be larger.

    In fact I wonder if the general perception is that by retaining data in Canada lulls folks into belief that they are compliant and safe?

  5. Craig Mack

    I’m terribly un-qualified to comment on this subject – privacy and intellectual property are areas that I have so little knowledge. I haven’t even read PIPEDA, not to mention that IT is far beyond me.

    Having said that, three comments:

    1) Most legislation will detail to whom it applies. That’s the starting point for determining to whom it applies; it may yet be challenged for overreaching and being unconstitutional;

    2) Again, demonstrating my ignorance, it seems to me that this could be a good opportunity for a cloud computing company to be based in Canada (I’m not sure if this is what CentriLogic does) or perhaps a new division/licensee of Amazon. Companies concerned about overly invasive US laws might take refuge in Canada;

    3) Great writing.

  6. David Michaud

    Great comments. One clarification – Generally, when a Canadian company exports this data to other jurisdictions, it often renders it within the scope of statutes and regulations of that country as well (i.e. the Patriot Act). Amongst other things, it makes compliance more onerous and creates potential jurisdiction and litigation issues. In that sense, Canadian companies worry about more than just “100% compliance with PIPEDA”.

  7. @David … just curious how that would work. I understand that Homeland Security could privately ask a US provider to turn over data but in what way would Canadian companies be required to be compliant with US law?

    The subtext to my question is that what if the Canadian company could encrypt their data such that even Amazon cannot read it. In this scenario Amazon would comply with Homeland Security requests but the content would be gobblydygook.

    Is there any way that Homeland could go after a Canadian company to request the security key? I assume under our law that would become public and further assume have not chance of success in Canadian law.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

%d bloggers like this: