Is Your Private Data Lost in the Cloud?

US surveillance revelations highlight risks of and regulation questions about storing info online.

By Michael Geist 20 Aug 2013 |

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at or online at

image atom
Interest groups will argue for new rules in the Trans Pacific Partnerships that would create barriers to privacy protections designed to require that personal data be stored locally. Cloud image via Shutterstock.

Does it matter where your computer data such as email, digital photos, personal videos, and documents resides? The Canadian Chamber of Commerce apparently doesn’t think so. It recently joined forces with its U.S. counterpart to argue for new rules in the Trans Pacific Partnership -- a proposed new trade agreement that includes Canada, the U.S., Japan, Australia and many other Asian and South American countries -- that would create barriers to privacy protections designed to require that personal data be stored locally.

For many years, the issue was largely irrelevant to most computer users since their data was typically kept on computer hard drives within their own homes or offices. While there was always a security risk associated with malware or hackers, using reasonable security precautions provided some protection and there was little risk of warrantless access to the data.

More recently, Internet companies have promoted the benefits of cloud computing, a reference to storing data online on giant computer server farms maintained by giants such as Google, Amazon, and Microsoft. Cloud-based services offer a host of advantages, including access any time from any device (provided you have Internet connectivity), the elimination of the need for software upgrades, seemingly infinite storage capacity, and state of the art security systems.

Extent of Canadian surveillance cloudy

Yet for all the benefits, the recent disclosures of widespread Internet surveillance represent an enormous privacy risk that could tilt the balance away from cloud-based services altogether or increase demand for local providers that are less vulnerable to U.S.-based surveillance. In fact, the Information Technology and Innovation Foundation recently estimated that the U.S. cloud computing industry could lose tens of billions of dollars in the coming years should non-U.S. users withdraw their data.

Foreign cloud computing providers will undoubtedly try to seize this opportunity. Some European providers have already experienced a sharp increase in sales in the aftermath of the surveillance disclosures. Meanwhile, Canadian companies such as Bell have begun to tout their made-in-Canada data storage services, while Telus has emphasized the privacy risks associated with a Verizon entry into Canada.

Whether local providers can provide better safeguards is still unclear, however, since the full scope of Canadian-based surveillance remains shrouded in secrecy. Moreover, Canadian-based data often crosses the border into the U.S. during routine transmissions, which presumably allows for the communications to be captured by the expansive surveillance infrastructure that seemingly tracks all Internet communications.

Even if Canadian companies could provide privacy assurances that the data they collect and store is not subject to U.S. snooping, the plan from the Canadian and U.S. Chambers of Commerce would be to prohibit governments -- both national and provincial -- from creating legal requirements to store data domestically.

Reason for concern

Their concern about legislative blocking of data transfers pre-dates the recent surveillance disclosures. In 2004, the British Columbia government responded to concerns that provincial health data could be subject to disclosure under the USA Patriot Act by enacting a law requiring public bodies to ensure that "personal information in its custody or under its control is stored only in Canada and accessed only in Canada." The same law also requires those institutions and their service providers to notify the minister if it receives a foreign demand for personal information. The B.C. law was soon after replicated in Nova Scotia.

While these laws are limited to governmental storage of data, the surveillance programs make no such distinction. The concerns associated with the USA Patriot Act may have been overstated, but as the scope of surveillance activities comes into focus, public concern appears to be well justified. This suggests that there may be mounting pressure for similar safeguards over private sector activities and that adopting the Canadian Chamber of Commerce proposal within the TPP would dangerously preclude the government from providing Canadians with much-needed privacy safeguards.  [Tyee]

Read more: Rights + Justice

Share this article

The Tyee is supported by readers like you

Join us and grow independent media in Canada

Get The Tyee in your inbox


The Barometer

How is your relationship with Facebook?

Take this week's poll