Jurisdiction Matters in the Cloud : My recent Interview by cloud.ca
I was recently interviewed by regional cloud provider cloud.ca on jurisdiction issues and the cloud. I explained how regions matter, not only to governments but to any organization with strict compliance requirements or risk management practices. cloud.ca published the interview as a white paper entitled: “Even in the Cloud, Jurisdiction Matters” which summarizes our discussion.
The white paper discusses why jurisdiction matters for cloud computing, for instance what types of data and which industries does Canadian regional jurisdiction have a notable impact on, what types of legislation should be considered when choosing a region outside Canada for cloud, how can “who owns and operates the cloud” impact jurisdiction, and whether keeping data encrypted in transit and “at rest” overcome the challenges with regional jurisdiction.
The paper provides information on issues pertaining specifically to Canada, such as whether Canadian law is particularly “good” or “bad” for certain types of data and whether there are notable differences between Canadian provinces’ legal jurisdictions when it comes to data/cloud. The recent Safe Harbour ruling issued by the Court of Justice of the European Union in October 2015 invalidating an important Commission Decision 2000/520 is also discussed, and I explain what this means for Canada.
I was also asked if in the long term, I expect globalization of digital business to eliminate barriers to who can store, manage and process data. I discuss how it is difficult to say whether the barriers will eventually be eliminated. On a global scale, most countries are using a similar legal framework on the issue of data protection, one which is based on the Fair Information Practices Principles (or FIPPs) which dates back to the early 70s, but that data protection/privacy laws may remain different simply due to cultural differences. For instance, the EU is considered as one of, if not the most privacy stringent jurisdictions in the world, but the US is not, in part because it strongly values freedom of information. Canada sits somewhere in the middle, probably leaning towards the position of the EU, with Quebec having the most stringent privacy laws in Canada. I explain how what might happen in the long run are globally accepted standards that make data outsourcing easier will play a more important role (i.e. ISO security standards such as ISO/IEC 27018).
cloud.ca’s white paper on jurisdiction and the cloud is available here.
This content has been updated on February 25, 2016 at 15 h 13 min.