[A2k] M.Geist: Does it Matter Where Your Data Lives?

Manon Ress manon.ress at keionline.org
Wed Aug 21 10:48:18 PDT 2013


Does it Matter Where Your Data Lives?
Wednesday August 21, 2013

Does it matter where your computer data such as email, digital photos,
personal videos, and documents resides? The Canadian Chamber of Commerce
apparently doesn’t think so. It recently joined forces with its U.S.
counterpart to argue for new rules in the Trans Pacific Partnership - a
proposed new trade agreement that includes Canada, the U.S., Japan,
Australia and many other Asian and South American countries - that would
create barriers to privacy protections designed to require that personal
data be stored locally.

My weekly technology law column (Toronto Star version, homepage version)
notes that for many years, the issue was largely irrelevant to most
computer users since their data was typically kept on computer hard drives
within their own homes or offices. While there was always a security risk
associated with malware or hackers, using reasonable security precautions
provided some protection and there was little risk of warrantless access to
the data.

More recently, Internet companies have promoted the benefits of the cloud
computing, a reference to storing data online on giant computer server
farms maintained by giants such as Google, Amazon, and Microsoft.
Cloud-based services offer a host of advantages, including access any time
from any device (provided you have Internet connectivity), the elimination
of the need for software upgrades, seemingly infinite storage capacity, and
state of the art security systems.

Yet for all the benefits, the recent disclosures of widespread Internet
surveillance represents an enormous privacy risk that could tilt the
balance away from cloud-based services altogether or increase demand for
local providers that are less vulnerable to U.S.-based surveillance. In
fact, the Information Technology and Innovation Foundation recently
estimated that the U.S. cloud computing industry could lose tens of
billions of dollars in the coming years should non-U.S. users withdraw
their data.

Foreign cloud computing providers will undoubtedly try to seize this
opportunity. Some European providers have already experienced a sharp
increase in sales in the aftermath of the surveillance disclosures.
Meanwhile, Canadian companies such as Bell have begun to tout their
made-in-Canada data storage services, while Telus has emphasized the
privacy risks associated with a Verizon entry into Canada.

Whether local providers can provide better safeguards is still unclear,
however, since the full scope of Canadian-based surveillance remains
shrouded in secrecy. Moreover, Canadian-based data often crosses the border
into the U.S. during routine transmissions, which presumably allows for the
communications to be captured by the expansive surveillance infrastructure
that seemingly tracks all Internet communications.

Even if Canadian companies could provide privacy assurances that the data
they collect and store is not subject to U.S. snooping, the plan from the
Canadian and U.S. Chambers of Commerce would be to prohibit governments -
both national and provincial - from creating legal requirements to store
data domestically.

Their concern about legislative blocking of data transfers pre-dates the
recent surveillance disclosures. In 2004, the British Columbia government
responded to concerns that provincial health data could be subject to
disclosure under the USA Patriot Act by enacting a law requiring public
bodies to ensure that "personal information in its custody or under its
control is stored only in Canada and accessed only in Canada." The same law
also requires those institutions and their service providers to notify the
Minister if it receives a foreign demand for personal information. The B.C.
law was soon after replicated in Nova Scotia.

While these laws are limited to governmental storage of data, the
surveillance programs make no such distinction. The concerns associated
with the USA Patriot Act may have been overstated, but as the scope of
surveillance activities comes into focus, public concern appears to be well
justified. This suggests that there may be mounting pressure for similar
safeguards over private sector activities and that adopting the Canadian
Chamber of Commerce proposal within the TPP would dangerously preclude the
government from providing Canadians with much-needed privacy safeguards.

Manon Ress, Knowledge Ecology International, KEI
manon.ress at keionline.org, tel.: +1 202 332 2670
KEI is a not for profit non governmental organization that searches for
better outcomes, including new solutions, to the management of knowledge
resources. KEI is focused on social justice, particularly for the most
vulnerable populations, including low-income persons and marginalized

More information about the A2k mailing list