Does it matter where your computer data such as email, digital photos, personal videos, and documents resides? The Canadian Chamber of Commerce apparently doesn’t think so. It recently joined forces with its U.S. counterpart to argue for new rules in the Trans Pacific Partnership – a proposed new trade agreement that includes Canada, the U.S., Japan, Australia and many other Asian and South American countries – that would create barriers to privacy protections designed to require that personal data be stored locally.
My weekly technology law column (Toronto Star version, homepage version) notes that for many years, the issue was largely irrelevant to most computer users since their data was typically kept on computer hard drives within their own homes or offices. While there was always a security risk associated with malware or hackers, using reasonable security precautions provided some protection and there was little risk of warrantless access to the data.
More recently, Internet companies have promoted the benefits of the cloud computing, a reference to storing data online on giant computer server farms maintained by giants such as Google, Amazon, and Microsoft. Cloud-based services offer a host of advantages, including access any time from any device (provided you have Internet connectivity), the elimination of the need for software upgrades, seemingly infinite storage capacity, and state of the art security systems.
Yet for all the benefits, the recent disclosures of widespread Internet surveillance represents an enormous privacy risk that could tilt the balance away from cloud-based services altogether or increase demand for local providers that are less vulnerable to U.S.-based surveillance. In fact, the Information Technology and Innovation Foundation recently estimated that the U.S. cloud computing industry could lose tens of billions of dollars in the coming years should non-U.S. users withdraw their data.
Foreign cloud computing providers will undoubtedly try to seize this opportunity. Some European providers have already experienced a sharp increase in sales in the aftermath of the surveillance disclosures. Meanwhile, Canadian companies such as Bell have begun to tout their made-in-Canada data storage services, while Telus has emphasized the privacy risks associated with a Verizon entry into Canada.
Whether local providers can provide better safeguards is still unclear, however, since the full scope of Canadian-based surveillance remains shrouded in secrecy. Moreover, Canadian-based data often crosses the border into the U.S. during routine transmissions, which presumably allows for the communications to be captured by the expansive surveillance infrastructure that seemingly tracks all Internet communications.
Even if Canadian companies could provide privacy assurances that the data they collect and store is not subject to U.S. snooping, the plan from the Canadian and U.S. Chambers of Commerce would be to prohibit governments – both national and provincial – from creating legal requirements to store data domestically.
Their concern about legislative blocking of data transfers pre-dates the recent surveillance disclosures. In 2004, the British Columbia government responded to concerns that provincial health data could be subject to disclosure under the USA Patriot Act by enacting a law requiring public bodies to ensure that “personal information in its custody or under its control is stored only in Canada and accessed only in Canada.” The same law also requires those institutions and their service providers to notify the Minister if it receives a foreign demand for personal information. The B.C. law was soon after replicated in Nova Scotia.
While these laws are limited to governmental storage of data, the surveillance programs make no such distinction. The concerns associated with the USA Patriot Act may have been overstated, but as the scope of surveillance activities comes into focus, public concern appears to be well justified. This suggests that there may be mounting pressure for similar safeguards over private sector activities and that adopting the Canadian Chamber of Commerce proposal within the TPP would dangerously preclude the government from providing Canadians with much-needed privacy safeguards.