One of the challenges for public institutions wanting to adopt Cloud software are thorny security and privacy issues around the handling of user data. There are definite risks associated with entrusting data to third parties, and it's reasonable to assume that public institutions are responsible for protecting user privacy and not exposing users to undue risk.
The risks escalate as the data moves outside Canadian jurisdiction. Data stored outside Canadian borders is not subject to our laws or oversight. Government agencies outside of Canada have no accountability to Canadian citizens, whereas the our own government agencies do have some accountability. (And to those cynics who would disagree, I say "Bill C-30".)
Recognizing these risks, BC privacy legislation puts up some fairly serious roadblocks for out-of-country storage of personal data. According to the Office of the BC Information and Privacy Commissioner, here’s what you need to do if you’re a public body wanting to store user data outside of Canada:
Under s. 30.1(a) of FIPPA, public bodies can store or access personal information outside of Canada if the individual the personal information is about has given consent to the public body to do so. The consent must be in the prescribed manner. The regulations to FIPPA7 set out the requirements for consent under s. 30.1(a). According to the regulations, an individual’s consent must be in writing and must specify the personal information for which the individual is providing consent, the date on which the consent is effective and, if applicable, what date the individual’s consent expires. The consent must also specify who may store or access the personal information from outside of Canada, and if it is practicable, which jurisdiction the personal information may be stored in or accessed from. The consent must also specify the purpose of storing or accessing the personal information.
So it's not impossible for a public body to store user data out of country, but the administrative overhead is such that you'd really have to have no other option. Written consent? Geez, no thanks.
Of course, the providers of US-hosted Cloud services often make light of the idea that hosting user data out of country is a greater risk. I recently received this advice from a prospective service provider about what we should tell our faculty when they express related concerns:
Q: We anticipate some faculty members in Canada might
have concerns related to the difference between Canadian
and US privacy law. How should we address their concerns?
A: According to the Canadian government, there has never
been a case where a Canadian’s personal information has
been accessed under the USA PATRIOT Act. See FAQs by
Treasury Board of Canada Secretariat, which specifically asks:
Q: “Has there been a case where personal information
about a Canadian was accessed under the USA
PATRIOT Act?”
A: “The federal government is not aware of any such
case to date.”
Moreover, while Company X cannot offer legal advice and cannot
guarantee the actions of either country’s government, there
is really no substantive difference between Canadian and US
laws with respect to either government’s ability to access
personal information, regardless of whether computer
servers are located in the USA, Canada, or in the cloud.
There's a lot wrong with this. For starters, it's quite a leap from "not aware of any such case" to "there has never been a case." This assumes that:
a. US government agencies would actually inform the Treasury Board whenever they intercept Canadian personal information, and
b. The Treasury Board would publicize such an interception if they were aware of one
But there's a bigger issue here, namely accountability. The laws may be substantively the same in the US and Canada, but here's the trick: they don't extend to each others' countries. In other words, government agencies in each country may have the same kinds of access rights, but only to information in their own jurisdiction. The US can't pass a law that gives them access to information on Canadian servers, any more than Canada could pass a law giving us access to US-hosted data.
Now, I'm sure that in practice there's a high degree of cooperation between government agencies on both sides of the border, and probably the US agencies can get whatever they want from their Canadian equivalents. But you know what? From a procedural point of view, that's how it should work. As long as the Canadian agencies are involved, accountability is maintained. Removing them from the picture (by transferring the data to US soil) reduces accountability to zero. That's not trivial, however much our vendors would like us to think that it is.