Shared Services Canada (SSC) Advocacy Alert: Myths and Mystery, Exploring Sourcing Options for SSC: Impact of Data Sovereignty: Call for Guidance
++ Action Required:
December 16, 2012
Please review the Communique
below as Shared Services Canada (SSC) operating guidance may impact your future ability to participate in federal government modernization procurements, and also circulate the communique to your network of contacts who currently sell or plan to sell goods and services to the federal government. Also contact CATA CEO John Reid at firstname.lastname@example.org
to confirm your interest in this advocacy and to receive additional briefing materials.
On December 18th, we are holding a Teleforum Conference Call on "Myths and Mystery, Exploring Sourcing Options for SSC
" to engage the community in this topical discussion. It will be recorded for briefing purposes. Register at http://sourcingoptions.eventbrite.ca/
Communique (submitted to Shared Services Canada)
Please review the attached comparative analysis recently performed by Hogan Lovells of 10 western countries' policies on government access to data (Canada, US, France, Australia, Denmark, Ireland, Japan, Spain, UK, Germany). This study pertains to outsourcing, cloud computing or any alternative service delivery model. It examines the extent to which access to data by governments in various jurisdictions is possible, regardless of where a service provider is located. "Governmental access," as that term is used within, includes access by all types of law enforcement authorities and other governmental agencies.
As you will observe, every one of the countries surveyed (including Canada) has laws that are substantially similar to the US Patriot Act. As the authors state: "On the fundamental question of governmental access to data in the Cloud, we conclude, based on the research underlying this White Paper, that it is not possible to isolate data in the Cloud from governmental access based on the physical location of the Cloud service provider or its facilities. Government's ability to access data in the Cloud extends across borders. And it is incorrect to assume that the United States government's access to data in the Cloud is greater than that of other advanced economies."
Despite this, many hold the belief that personal and other sensitive data is more "at risk" when it is stored in the US, citing the infamous US Patriot Act. Yet, the risk of foreign government access to data exists regardless of where data may be located. As a matter of fact, as it pertains to the US Patriot Act, any provider that has a link to the US (e.g. an affiliate located in the US, or any kind of operations) is subject to the US patriot Act (regardless of whether their data center is physically located on Canadian soil or not). The Ontario Privacy Commissioner is very pointed with her comments on this issue:
Ann Cavoukian, Privacy Commissioner of Ontario stated "Oh God, the Patriot's Act is such nonsense!". "I'm so tired of hearing about the Patriot's Act....geography has nothing to do with Privacy..." March 3, 2012
Canadian firms are concerned that they will be prevented from becoming potential suppliers of IaaS capabilities or other cloud based services to SSC because of their US links, although they understand full well that American companies such as Lockheed Martin, HP(formerly EDS) and other US-based entities currently perform outsourcing services for the Government of Canada.
Those firms also referenced buzz words that have been thrown at them - such as 'data sovereignty' - to suggest that they could not bid any cloud solutions. This specific term 'data sovereignty' is not only illogical (as data by definition cannot be sovereigned), but is often perceived by them as an antiquated, fear-mongering concept used to prevent innovation and productivity gains in favour of the undisruptive status quo (in 2004, when the BC government was looking at outsourcing as a means to reduce the cost of IT, the public service unions cited 'data sovereignty' as a reason to not allow outsourcing in an attempt to protect the IT based union positions. This led to BC introducing privacy legislation prohibiting cross border data flows. BC was therefore able to proceed with outsourcing, with the caveat that data ought to stay in the province. Their ability to adopt innovative business models and 'dumb down' the supplier ecosystem serving the government was severely hampered however).
As our members are clearly concerned about their ability to participate in procurement activities, CATA believes that the time to address the elephant in the room has come, and that the risks relating to foreign government access to Government data and the interpretation of the Canadian legal framework as it applies to cross-border data flows must be discussed and addressed. This would restrict all potential providers to those who only do business in Canada and have no US links or operations. This dialogue is required to insure that you have a healthy ecosystem of solution providers and sourcing options open to SSC and you do not inadvertently limit competition.
We believe because this is a privacy discussion not a IT security discussion and it may be best addressed by a legal forum. What is required is a forum to discuss the implications with privacy professionals attune with the Canadian Legal Framework? Our goals would be to bring forward legal/privacy representatives to provide a deeper level of insight on how this issue can be managed.
Lastly, please review the Canadian Federal Guidelines on Privacy and Cross-Border Data Flows. We do not believe that these prohibit data from being processed outside of the country:
"Canadian Law Does Not Prohibit The Federal Government From Transferring Personal Information To The United States."
Ps Add to the Conversation on CATA Social media channels at: http://www.linkedin.com/groups/Shared-Services-Canada-SSC-Forum-4210358/about
It also strikes me as a possible barrier to business in the US and other nations - If we deny their companies access to our marketplaces, then we risk a tit-for-tat escalation of denials of access to contracting opportunities in their marketplaces, and indeed across any border. Data Sovereignty is similar to "litigation chill" - if you are afraid of something, even if it does not become reality, it can impact your business on the 2nd order.
For Small and Medium Enterprises (SMEs), this could represent significant barriers when contracting policies in Canada are leaning towards the larger firms, and forcing SMEs into subcontracting arrangements which cost them percentages of their profit margins. I would be interested as well in OSMEs (Office of Small and Medium Enterprises) opinion - perhaps someone could discuss the concepts with Shereen Miller over there.
Douglas Michael Lloyd, CATAAlliance, Executive in Residence
& Chair National Institute of Biomass, Renewable & Clean Technologies