Upload
eldercomlaw
View
112
Download
0
Embed Size (px)
Citation preview
PRESENTATION OCTOBER 5, 2012 3rd Annual Privacy, Access and Security Congress
STIKEMAN ELLIOTT LLP www.stikeman.com
Cross Border Data Flows; Multi National Cloud Environments
David Elder
Stikeman Elliott LLP
Cloudy with a Chance of
Privacy Compliance
SLIDE 1 STIKEMAN ELLIOTT LLP
A key element to privacy policy approaches and guidelines since the early days of “the information society”
Should ensure protection, security of data
Should avoid using privacy laws as trade barriers
Where laws in two or more countries offer comparable privacy safeguards, information should be able to flow freely between them
Where no reciprocal safeguards, limits on transfers should go only so far as required to protect privacy
Transborder Data Flows
SLIDE 2 STIKEMAN ELLIOTT LLP
Allows transfer between Member States
Data can be transferred outside the EU only where continued protection guaranteed or certain exemptions apply
“Adequacy” assessed based on range of factors, can be at country level or company level (based on “Safe Harbour” commitment)
Can also transfer to companies in “inadequate” countries, where transfer governed by EC standard contractual clauses
European Data Protection Directive
SLIDE 3 STIKEMAN ELLIOTT LLP
The Dark Side of the Cloud
Out of your control
Insufficient information about cloud operations
Dispersed, complex, multiple players
Co-mingling with others’ data may raise issues: segregation; auditability; exposure to other’s vulnerabilities; notification delays where breaches
Potential access by foreign states
Focus on low cost, efficiency may mean
– One-size fits all service, reluctance to customize
– Security as a secondary focus?
SLIDE 4 STIKEMAN ELLIOTT LLP
Nothing New Under the Sun
Company Outsource Offshore Cloud
Risk
Control
SLIDE 5 STIKEMAN ELLIOTT LLP
NEWFOUNDLAND
ONTARIO
QUEBEC
YUKON
PEI
NORTHWEST
TERRITORIES
NUNAVUT
BRITISH
COLUMBIA ALBERTA
SASKATCHEWAN
MANITOBA
NOVA SCOTIA
NEW BRUNSWICK
Private Sector Privacy
PIPEDA
PIPA (B.C.)
PIPA (Alberta)
Quebec Privacy Act
SLIDE 6 STIKEMAN ELLIOTT LLP
Key Privacy Obligations & Challenges
Obligations
Accountability
Organization responsible for personal info it collects, even when transferred to 3rd parties
Consent
Knowledge and consent required for the collection, use and disclosure of personal information
Cloud Challenges:
How to maintain control, visibility?
Difficult to audit if widely dispersed, co-mingled
Can be need for explicit consent to storage/processing outside Canada, due to foreign legal jurisdictions
Consent to cloud itself?
SLIDE 7 STIKEMAN ELLIOTT LLP
Key Privacy Obligations & Challenges
Obligations
Limiting Use, Disclosure, Retention
To be used solely for identified purpose
To be retained only as long as necessary to fulfil purposes, then returned or destroyed
Access & Accuracy
Right of access
Right to correct
Cloud Challenges:
Uncertainty won’t be mined/used for other purposes
Uncertainty of retention periods, foreign requirements?
Right to destroy, delete, have returned
Ensure individual will have access
Ensure can quickly correct incomplete or inaccurate data
SLIDE 8 STIKEMAN ELLIOTT LLP
Key Privacy Obligations & Challenges
Obligations
Security
Security safeguards appropriate to sensitivity of personal info
Breach Notification
Advise Privacy Commissioner(s), individuals/customers
Cloud Challenges
Tendency to one-size-fits all
Cloud makes security decisions - not you
Cloud unaware of sensitivity of info
Need to be advised of cloud breach
How to define what notifiable
Need cooperation, up-to-minute details
Could be many cloud users affected
SLIDE 9 STIKEMAN ELLIOTT LLP
OSFI Guidelines on Outsourcing of Business Activities, Functions and Processes
In accordance with federal legislation, certain records should be maintained in Canada, OSFI access ensured
Tendency to overly conservative approach?
Requires audit and access rights over service provider (for institution and OSFI)
Requires detailing physical data storage locations
Other Legal Obligations
SLIDE 10 STIKEMAN ELLIOTT LLP
Apply to private sector only
Accountability principle is key
Be transparent
Actual safeguards can vary, based on inherent sensitivity of data, potential risk of unauthorized disclosure or access (and cost?)
Third party should have clear and reliable security policies, consistent training program for staff
Audit rights help, but difficult to execute – likely more a deterrent
Guidelines for Processing Personal Data Across Borders
SLIDE 11 STIKEMAN ELLIOTT LLP
Most fundamentally, organizations should be selective in choosing foreign service providers, cloud providers
Should pay particular attention to legal/political regimes in which third party operates
Economic and social conditions may also be relevant
Clarity, transparency, security, careful location selection can be a competitive advantage for organizations and third party service providers – and particularly for cloud providers
Guidelines for Processing Personal Data Across Borders
SLIDE 12 STIKEMAN ELLIOTT LLP
Data importer agrees and warrants:
Will process only for purposes directed by exporter
Applicable laws no barrier to fulfilling obligations
Has implemented specified technical & operational security measures
Will respond to exporter inquiries and submit to audit
Will promptly notify re:
– LEA demand for disclosure (unless prohibited)
– Breach
– Access request by subject
– Sub-contracting (& get consent, bind to safeguards)
EC Standard Contractual Clauses
SLIDE 13 STIKEMAN ELLIOTT LLP
Independent certification by reputable 3rd pary
Audit against recognized standard: ISO, PCI, etc.
Some regulators have recognized as legitimate approach
Some process/governance related; some about physical/technical measures
Registries also useful, but less so – good initial step, will facilitate comparisons, drive privacy/security as a competitive attribute
Standards & Certifications
SLIDE 14 STIKEMAN ELLIOTT LLP SLIDE 14 STIKEMAN ELLIOTT LLP
“Accountability, rather than geographical limits, is the basic model for Canadian data protection. This model brings the advantages of flexibility and low compliance overhead for corporations whose profits derive from innovation. But accountability also means that use of Canadian’s personal information must meet Canadian legal standards, wherever in the cloud this may be happening.”
Jennifer Stoddart, 2009
SLIDE 15 STIKEMAN ELLIOTT LLP
I Can See Clearly Now
Not for everyone
Choose your provider very carefully
Look for standards, certifications
Bake key terms, levels, guarantees into contract:
– Security practices and requirements
– Breach/investigation response
– Audit
– Liability, indemnity
– Subcontracting control