Apr 15 update: Here is an excerpt from an Apr 15th Guardian article “Web freedom faces greatest threat ever, warns Google’s Sergey Brin – Exclusive: Threats range from governments trying to control citizens to the rise of Facebook and Apple-style ‘walled gardens’” (emphasis added)
“[Google co-founder Sergey] Brin acknowledged that some people were anxious about the amount of their data that was now in the reach of US authorities because it sits on Google’s servers. He said the company [Google] was periodically forced to hand over data and sometimes prevented by legal restrictions from even notifying users that it had done so.”
The above excerpt is a very powerful statement that should make foreign (to US) decision makers in the private and public sectors think carefully of what they get themselves into by putting data, especially sensitive data, onto Google’s cloud. As we can see from the latest Supreme Court of Canada decision rejecting current Canadian loose wiretap law, the court has made it clear that accountability and effective judicial oversight are very important matters in Canada.
Keywords: The Freedom of Information and Protection of Privacy Act, USA Patriot Act, Privacy Impact Assessment, Office of the Information and Privacy Commissioner of Alberta, Office of the Privacy Commissioner of Canada
Summary: After extensive preparation by City of Edmonton to go with Google Apps, it is puzzling and questionable why city of Edmonton FOIP office (reporting to Edmonton city council, and working closely with Edmonton Chief Information Officer) has NOT yet decided to submit a privacy impact assessment under The Freedom of Information and Protection of Privacy Act to the Office of the Information and Privacy Commissioner of Alberta and the Office of the Privacy Commissioner of Canada to seek the two Offices of the Privacy Commissioners’ advices and recommendations.
The FOIP Act, USA Patriot Act, and the case of University of Alberta
First of all, a little bit of information about The Freedom of Information and Protection of Privacy Act (the FOIP Act) (emphasis added),
“[the FOIP Act] was passed by the Alberta Legislature in June 1994. It came into effect on October 1, 1995. The FOIP Act provides individuals with the right to request access to information in the custody or control of public bodies while providing public bodies with a framework within which they must conduct the collection, use and disclosure of personal information.“
Given the FOIP Act focus re the “collection, use and disclosure of personal information“, it leads me to a serious concern in seeing City of Edmonton going with Google Apps and wondering how will the USA Patriot Act impact Canadians? At the moment, Google has no dedicated data center located in Canada, and Google stores its data in data centers primarily located in United States. Dr. Jonathan Schaeffer, University of Alberta Vice Provost and Associate Vice President (Information Technology), responsible for moving the university to Google Apps for Education, has painted an informed picture in this article, (emphasis added)
“The decision to go Google took almost two years to be realized. First, we had to investigate all our options, including providing a single system on campus (e.g., Microsoft) and using a local provider (e.g., Telus). Second, having decided on Google, we did our due diligence by doing a privacy impact assessment and getting it accepted by the Office of the Information and Privacy Commissioner of Alberta. Third, we had to negotiate a contract with Google that respected Alberta’s and Canada’s laws. Google houses its data in data centers that are primarily located in the United States. The U.S. Patriot Act acts as a lightening rod for some people. It took 1.5 years to come up with an agreement that satisfied our legal team (both internal and external the university), security team, and privacy officer. Only after going through all these steps were we comfortable with signing an agreement with Google.”
In a phone interview with Wayne Wood, Communications Director, Office of the Information and Privacy Commissioner of Alberta, Wood explained that, in Alberta, only custodians under the Health Information Act (HIA) are required by law to complete a privacy impact assessment (PIA) under the FOIP Act. And PIA submissions from entities like City of Edmonton, City of Calgary, University of Alberta, are “optional“.
Dr. Jonathan Schaeffer stated in a phone interview that the University wants to be transparent so it voluntarily prepared and submitted a 25+ pages detailed PIA to the Office of the Information and Privacy Commissioner of Alberta *and* the Office of the Privacy Commissioner of Canada to seek their advices and recommendations. As a result, the Privacy Commissioner of Alberta gave his formal reply in “Commissioner comments on University of Alberta’s plans to outsourceits email service to Google“. Here is an excerpt from the Commissioner’s comments with emphasis added,
“[Commissioner Frank] Work says the University has done what it reasonably can to ensure the protection of personal information. “However, users of the University email system must be informed that their emails will reside in a foreign jurisdiction and will be subject to the laws of that jurisdiction, such as in this case, the USA Patriot Act. Individuals can then make an informed decision about what kind of information they will transmit through email. The University has agreed to inform the student body and employees that it won’t be able to guarantee protection against possible disclosure of emails residing in the United States.” “
For ease of reference later, let me divide the Commissioner’s recommendations to U of Alberta into three parts,
- U of A will inform the users “that their emails will reside in a foreign jurisdiction and will be subject to the laws of that jurisdiction” (see note 1 at the bottom of this article for a brief but important discussion re jurisdiction, and note 2 for a brief discussion about the lastest Supreme Court of Canada ruling re wiretap handed down this morning.)
- “Individuals can then make an informed decision about what kind of information they will transmit through email“.
- Very importantly, “The University has agreed to inform the student body and employees that it won’t be able to guarantee protection against possible disclosure of emails residing in the United States.“
Privacy at the federal level
As part of my research, I contacted Valerie Lawton, Senior Communications Advisor, Office of the Privacy Commissioner of Canada, and was told the Office was not aware of any use of Google email or other Google apps in the Canadian federal context and has not examined this issue. But Lawton made this point, (emphasis added)
“In general, what I can tell you is that if a government department establishes any new or substantially modified program or activity involving personal information, it is required to conduct a Privacy Impact Assessment. Final PIAs must be submitted to our Office.“
So on the federal level, it is “required to conduct” and “PIAs must be submitted“. Very different from Alberta’s “optional” submission standard. And some can rightfully argue “lax” standard. Before I go back to Alberta, Lawton shared with me some links to documents the Office of the Privacy Commissioner of Canada have developed on cloud services in general that are quite insightful:
- Fact Sheet (Privacy Impact Assessments)
- 2010 Consumer Privacy Consultations report
- Reaching for the Clouds
The case of City of Edmonton
Wayne Wood, Communications Director, Office of the Information and Privacy Commissioner of Alberta, explained to me that while custodians (under the HIA) are required by law to submit a PIA, other entities are “strongly encouraged” to submit the optional PIAs as well. Even though Alberta’s PIA submission is optional, if you take a look of Appendix D of the Office of the Information and Privacy Commissioner 2010-2011 Annual Report (PDF), you will find a long list of municipalities (City of Calgary, City of Cold Lake, etc) and Ministries/Departments (Alberta Education, Alberta Transportation, Alberta Housing and Urban Affairs, etc) all voluntarily prepared and submitted PIAs to seek the Privacy Commissioner’s advices and recommendations.
In the case of U of Alberta, the Privacy Commissioner’s recommendations stated, “Individuals can then make an informed decision about what kind of information they will transmit through email“. In contrast, Canadians living in Edmonton when communicating with city employees or people in the @edmonton.ca domain (e.g. Councillors@edmonton.ca ) will now transmit, under Google Apps, their personal and private data to a foreign jurisdiction possibly without their consent and without them knowing. You see, anyone can send emails to addresses in the @edmonton.ca domain and, as senders, I suspect many may not know their private and personal data may have been sent to a foreign jurisdiction.
Chris Moore, Chief Information Officer of city of Edmonton, told me a detailed privacy impact assessment (PIA) has been prepared before City of Edmonton goes with Google Apps. So it is very puzzling and somewhat questionable why the city of Edmonton FOIP office (reporting to Edmonton city council, and working closely with Edmonton Chief Information Officer) has NOT decided so far to submit a privacy impact assessment under The Freedom of Information and Protection of Privacy Act to both the Office of the Information and Privacy Commissioner of Alberta and the Office of the Privacy Commissioner of Canada to seek their advices and recommendations.
Sure, the PIAs submissions are legally “optional” but it makes great sense to get the two Privacy Commissioners’ advices and recommendations. After all, since Edmonton is the first major city to go with Google Apps, a ground breaking decision. Doesn’t it make this even more important to help Canadians understand the full privacy implications? We in Calgary and other cities like Toronto and Vancouver , will also want to understand the full privacy implications before our cities’ CIO follow in Edmonton’s footsteps. Informed decisions are the key foundation to help city councils across Canada and Canadians understand the risks and rewards.
The two privacy commissioner officers have the manpower, expertises, and time to carefully review the PIAs in order to provide appropriate advices and recommendations accordingly. I urge city of Edmonton to take the next right step and submit a detailed privacy impact assessment (PIA) to the Office of the Information and Privacy Commissioner of Alberta *and* the Office of the Privacy Commissioner of Canada to seek their advices and recommendations.
The following is my video interview with Chris Moore.
note 1: I am not a legal expert but Canadian vs foreign (US) jurisdiction and judicial system can mean the difference between day and night. Take a look of the story of Canadian Maher Arar‘s extraordinary rendition by the US government and the torture he suffered in Syria as a result.
At the end, the Canadian government paid Arar C$10.5 million in compensation, prime minister Stephen Harper formally apologized to him, and a Canadian commission cleared him of any links to terrorism in the Report by Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar (pdf).
So what does the US judicial system and US government do? In 2010, the U.S. Supreme Court declined to hear Mr. Arar’s case without giving any reason. As of December 2011, Arar and his family remained on the US No Fly List according to Toronto Star!
So don’t let someone persuade you easily the judicial systems in US and Canada are similar.
note 2: This news just happened this morning. CBC News reported that Supreme Court tells Parliament to rewrite wiretap law,
“The Supreme Court of Canada has struck down a law that allows police to tap telephones without a warrant in an emergency.
In its ruling, the court said that Section 184.4 “falls down on the matter of accountability” because the existing structure doesn’t provide a framework for oversight of police actions.
“Of particular concern, it does not require that notice be given to persons whose private communications have been intercepted,” the Supreme Court said.“
See Supreme Court of Canada full decision. and here are a few quotes,
” In the landmark decision Hunter v. Southam Inc.,  2 S.C.R. 145, this Court determined that a warrantless search is presumptively unreasonable. The presumed constitutional standard for searches or seizures in the criminal sphere is judicial pre-authorization: a prior determination by a neutral and impartial arbiter, acting judicially, that the search or seizure is supported by reasonable grounds, established on oath (pp. 160-62 and 167-68). [...]
The importance of prior judicial authorization is even greater for covert interceptions of private communications, which constitute serious intrusions into the privacy rights of those affected.”
I am not a legal expert, but this Supreme Court of Canada decision again show how much we Canadians and our judicial system values the importance of judicial pre-authorization and court oversight which some people argue have sadly been lacking in United States (as seen in the US government actions and court decisions).