Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012

PRESENTATION OCTOBER 5, 2012 3rd Annual Privacy, Access and Security Congress

STIKEMAN ELLIOTT LLP www.stikeman.com

Cross Border Data Flows; Multi National Cloud Environments

David Elder

Stikeman Elliott LLP

Cloudy with a Chance of

Privacy Compliance

SLIDE 1 STIKEMAN ELLIOTT LLP

A key element to privacy policy approaches and guidelines since the early days of “the information society”

Should ensure protection, security of data

Should avoid using privacy laws as trade barriers

Where laws in two or more countries offer comparable privacy safeguards, information should be able to flow freely between them

Where no reciprocal safeguards, limits on transfers should go only so far as required to protect privacy

Transborder Data Flows


Allows transfer between Member States

Data can be transferred outside the EU only where continued protection guaranteed or certain exemptions apply

“Adequacy” assessed based on range of factors, can be at country level or company level (based on “Safe Harbour” commitment)

Can also transfer to companies in “inadequate” countries, where transfer governed by EC standard contractual clauses

European Data Protection Directive


The Dark Side of the Cloud

Out of your control

Insufficient information about cloud operations

Dispersed, complex, multiple players

Co-mingling with others’ data may raise issues: segregation; auditability; exposure to other’s vulnerabilities; notification delays where breaches

Potential access by foreign states

Focus on low cost, efficiency may mean

– One-size fits all service, reluctance to customize

– Security as a secondary focus?


Nothing New Under the Sun

Company Outsource Offshore Cloud

Risk

Control


NEWFOUNDLAND

ONTARIO

QUEBEC

YUKON

PEI

NORTHWEST

TERRITORIES

NUNAVUT

BRITISH

COLUMBIA ALBERTA

SASKATCHEWAN

MANITOBA

NOVA SCOTIA

NEW BRUNSWICK

Private Sector Privacy

PIPEDA

PIPA (B.C.)

PIPA (Alberta)

Quebec Privacy Act


Key Privacy Obligations & Challenges

Obligations

Accountability

Organization responsible for personal info it collects, even when transferred to 3rd parties

Consent

Knowledge and consent required for the collection, use and disclosure of personal information

Cloud Challenges:

How to maintain control, visibility?

Difficult to audit if widely dispersed, co-mingled

Can be need for explicit consent to storage/processing outside Canada, due to foreign legal jurisdictions

Consent to cloud itself?



Obligations

Limiting Use, Disclosure, Retention

To be used solely for identified purpose

To be retained only as long as necessary to fulfil purposes, then returned or destroyed

Access & Accuracy

Right of access

Right to correct

Cloud Challenges:

Uncertainty won’t be mined/used for other purposes

Uncertainty of retention periods, foreign requirements?

Right to destroy, delete, have returned

Ensure individual will have access

Ensure can quickly correct incomplete or inaccurate data



Obligations

Security

Security safeguards appropriate to sensitivity of personal info

Breach Notification

Advise Privacy Commissioner(s), individuals/customers

Cloud Challenges

Tendency to one-size-fits all

Cloud makes security decisions - not you

Cloud unaware of sensitivity of info

Need to be advised of cloud breach

How to define what notifiable

Need cooperation, up-to-minute details

Could be many cloud users affected


OSFI Guidelines on Outsourcing of Business Activities, Functions and Processes

In accordance with federal legislation, certain records should be maintained in Canada, OSFI access ensured

Tendency to overly conservative approach?

Requires audit and access rights over service provider (for institution and OSFI)

Requires detailing physical data storage locations

Other Legal Obligations


Apply to private sector only

Accountability principle is key

Be transparent

Actual safeguards can vary, based on inherent sensitivity of data, potential risk of unauthorized disclosure or access (and cost?)

Third party should have clear and reliable security policies, consistent training program for staff

Audit rights help, but difficult to execute – likely more a deterrent

Guidelines for Processing Personal Data Across Borders


Most fundamentally, organizations should be selective in choosing foreign service providers, cloud providers

Should pay particular attention to legal/political regimes in which third party operates

Economic and social conditions may also be relevant

Clarity, transparency, security, careful location selection can be a competitive advantage for organizations and third party service providers – and particularly for cloud providers

Guidelines for Processing Personal Data Across Borders


Data importer agrees and warrants:

Will process only for purposes directed by exporter

Applicable laws no barrier to fulfilling obligations

Has implemented specified technical & operational security measures

Will respond to exporter inquiries and submit to audit

Will promptly notify re:

– LEA demand for disclosure (unless prohibited)

– Breach

– Access request by subject

– Sub-contracting (& get consent, bind to safeguards)

EC Standard Contractual Clauses


Independent certification by reputable 3rd pary

Audit against recognized standard: ISO, PCI, etc.

Some regulators have recognized as legitimate approach

Some process/governance related; some about physical/technical measures

Registries also useful, but less so – good initial step, will facilitate comparisons, drive privacy/security as a competitive attribute

Standards & Certifications

SLIDE 14 STIKEMAN ELLIOTT LLP SLIDE 14 STIKEMAN ELLIOTT LLP

“Accountability, rather than geographical limits, is the basic model for Canadian data protection. This model brings the advantages of flexibility and low compliance overhead for corporations whose profits derive from innovation. But accountability also means that use of Canadian’s personal information must meet Canadian legal standards, wherever in the cloud this may be happening.”

Jennifer Stoddart, 2009


I Can See Clearly Now

Not for everyone

Choose your provider very carefully

Look for standards, certifications

Bake key terms, levels, guarantees into contract:

– Security practices and requirements

– Breach/investigation response

– Audit

– Liability, indemnity

– Subcontracting control

Documents

Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012