Data access and privacy are always top concerns for Canadians and many of us have been heard of the recently invalidated Safe Harbor agreement between the US and Europe. It warrants review and consideration as to how that may impact Canadians in the short and long-run.
Regulators in Europe are gearing up to enforce tougher privacy laws and to possibly enact further court challenges against standard privacy laws that currently exist between various countries. If you are wondering why all of this is happening, it is because the European Court of Justice issued a ruling this past October that invalidated the Safe Harbor data transfer agreement between the US and the European Union as the privacy mechanism were deemed inadequate. A lot of this has been based on the Edward Snowden revelations of US agencies snooping on international data flows; the court’s decision to void Safe Harbor constitutes a rejection – loud and clear – of America’s mass surveillance program.We are not sure how different Canada is from the European Union (and won’t speculate) but it is safe to say that our customers continue to be focused on data privacy and have continually raised concerns on who can access their data.
There was a study released this past December from IXMaps that shows how your internet traffic flows around Canada and at what point your traffic/data crosses into the US. The internet traffic study clearly shows that our internet traffic typically follows a “boomerang route” and frequently goes through internet hubs in Seattle, New York or Chicago. A boomerang route is when your data (data packets, specifically) are sent through exchange points in the US before returning to Canada. Note that each of the above listed locations have been identified as a National Security Agency listening posts. The image below shows the route that data took when someone from their home in Toronto communicated with the Toronto Star’s website. Despite being hosted only a few kilometers away from the user, the data traveled through New York City and Chicago before returning to Toronto.
Example of “boomerang route” (Source: Open Media)
More details on the study found here.
This study demonstrates one of the obvious reasons that Canadian Web Hosting created and deployed our own network across Canada with our primary hubs being located in Toronto and Vancouver. We wanted to be able to provide reassurances to our customers that their data was intact and remained on the network throughout Canada to ensure our customers’ compliance with PIPEDA. In looking at IXMaps, it does make you wonder if our privacy laws like PIPEDA are still valid and whether new rules may be warranted similar to what is happening between the EU and US. Consider this, the researchers from IXMaps confirmed that “when (data) passes through the United States… Canadians have no legal rights at all. We lose our constitutional rights, and under US law Canadians are foreigners, so there’s no protection for our communications.”
Should we be concerned about data rules south of the border with other countries? Definitely.
As of today, the US and Europe are working to create a new framework for providing legal cover for cross-border data transfers. This includes stricter data-handling policies, new technologies, or paying to lease data centres based in Europe, though that is a bit tenuous as American companies try to shield their business on foreign soil with the possibility that US entities could demand access to their data despite the fact that the data is stored outside of the US. The new privacy agreement is being hailed as a “Privacy Shield” by European Union and US negotiators who reached a new cross-border data sharing agreement that still faces significant hurdles before it can be enabled. It would be interesting to look at an existing case to see how any potential changes could impact existing legal cases.
One case we have been closely monitoring is Microsoft’s legal battle with the US government. Microsoft is engaged in a legal battle related to some emails stored in Ireland. It is the US government’s claim that considering Microsoft is a US-based company, the government can get the requested information anytime. The requested information is being asked for under the 1986 Stored Communications Act (SCA), which allows the government to compel companies to hand over any data they own in pursuit of an investigation. The fact that the data in question is in another country, does not seem to matter.
In addition to Microsoft, many recognizable companies are facing renewed threats by privacy regulators. Google, Facebook and other big Internet services which transfer mountains of data globally are likely to be the first targets in any regulatory crackdown. Many of these companies don’t have viable next step alternatives and continue to look for interim solutions to try and meet privacy rules, including localized data centres, using technologies to keep data within designated borders, and using binding corporate rules.
We will continue to watch what takes place while focusing on building data centre and cloud capacity that removes many of these concerns. In the past it may have been difficult for Canadians to find enterprise-ready infrastructure and cloud hosting capacity, but that is no longer the case. In addition, with the low Canadian dollar, Canadian Web Hosting can deliver significant cost advantages to businesses and users alike. To learn more, visit www.canadianwebhosting.com.