Earlier this week, on Spend Matters UK, we saw a guest post from Jessica Warren of Hubwoo that asked what the US surveillance programme means for procurement systems and people. It asked some good questions, and gave some good answers, but it missed the most important question. However, before we get to that, we’re going to provide some background and a few other important pieces of information to put everything in context.
The post, written largely from the EU perspective, notes that the requirements of the European Data Protection Directive (95/46/EC) defines rules for the transfer of personal data outside the EU to ensure the best possible protection of personal data when it is exported abroad and that the transfer of personal data to non-EU countries that do not meet the EU “adequacy” standard for privacy protection are prohibited.
The EU is not the only political body to take privacy seriously. Canada has the Personal Information Protection and Electronic Document Act (PIPEDA) that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances and the Privacy Act that extends the laws of Canada that protect individual privacy to government institutions. These laws imply that personal information cannot be provided to any party that is not bound by laws at least as strong as the Canadian laws (which are also augmented with additional regulations in the provinces of British Columbia, Alberta, and Quebec). So storing Canadian data on US servers that can be seized by the US government at any time for any reason under the Patriot Act could also be a big no-no.
Another thing to remember is that hosting in the biggest Canadian Data Center that will give you the best deal, which used to be the default answer if you wanted to service North American clients with fast response times and ensure Canadian and EU privacy protections were in force, is not necessarily enough anymore, even if the data centre adheres to the U.S.-EU Safe Harbour Framework. (The Safe Harbour Framework was originally designed to provide guidance for U.S. organizations on how to provide adequate protection for EU personal data so that US companies could store and process EU data without violating EU laws. Even though the intent was sound, the execution was weak, as the first case under the framework was not brought forth until 2011, and the framework has come under significant criticism under two external reviews by the EU in [2002 and 2004] and one by Galexia [in 2008].)
Why can’t you just ask that your US solution provider store the data in Canada and be done with it? The US Patriot Act. This diabolical piece of legislation gives the US government the right to demand any data held by any company governed by US law, no matter who or what the data pertains to, how or when it was acquired, or where it is physically stored. In other words, even if your US-based solution provider stores your data in Canada or Germany, the US can still demand that data. (Even Microsoft had to admit that regardless of where it stored it’s European Customers’ data, it could not ensure such data would not be turned over to the US government. [Source]) It’s not enough to just ask the provider whether or not it can guarantee that your data is safe from the Patriot Act as most services providers don’t understand the full extent of the power granted the US Government by the Patriot Act and many believe that if they are on the Safe Harbour list then that ensures their customers have adequate protection, which is not the case. (That’s why a European Parliament Committee is recommending suspension of US-EU Safe Harbour. [Source]) Furthermore, if such data is stored in a data centre that participates in Safe Harbour, even if it’s on Canadian soil, you’re more-or-less in a double-jeopardy situation as that data centre, by participating in the program, has agreed to adhere to US regulations and will immediately hand that data over on official request!
This says that the most important question is not where is my data hosted but
1. What law governs the data you store on my behalf?
Simply put, if the company is bound by US law, it doesn’t matter where your data is, it is still subject to the US Patriot Act, and can be demanded by the U.S. Government at any time.
If your organization is subject to EU or Canadian privacy directives (which, in most provinces, prohibit the export of private data outside of Canada), after you have verified that US law does not govern the data stored on your behalf, then you ask:
2. Where is my data being stored?
2b) If you are storing my data in Canada, has the data centre opted into a US Safe Harbour program?
If privacy is a concern, not only do you not want your data stored in the US, but you probably don’t want it stored in a Canadian Data Center that has opted into a US Safe Harbour program (and agreed to enforce requests made under the US Patriot Act). (Note that there are a number of data centres in Canada that have not opted into this program that are still really good choices for servicing your North American operations.)
3. Is the storage provider (which might be a data centre contracted by your solution provider, as most Sourcing and Procurement SaaS providers do not manage their own data centres) bound by laws at least as strong as the privacy laws my organization is bound by?
If the answer is yes, you’re good to go.
There’s also three lessons here for US-headquartered Sourcing and Procurement Vendors who want to go global (and conquer Europe).
1) Move your headquarters somewhere else.
The UK would be a good choice if being located in an English speaking country is important to you.
2) Open a Canadian subsidiary to manage your North American service delivery operations.
3) Use a Canadian Data Center that does not participate in the US Safe Harbour program to store your customers’ data.