CANADA'S BIGGEST TELCOS and data centres are likely eyeing Microsoft's recent deal with Germany's Deutsche Telekom to get around data sovereignty worries, possibly hoping the software company will strike a similar – and lucrative – deal with them.
However, Halifax-based privacy law expert David Fraser suggests they shouldn't get their hopes up because the Canadian market is so small. On the other hand, he added, British Columbia already beat Microsoft with a similar solution.
Still, "there are operators of data centres in Canada who may be more than happy to enter into an arrangement whereby Microsoft's data is stored in their data centers … and Microsoft administrators can’t touch the data."
"I would expect they (Microsoft) are looking at all their options across the world."
This comes after Microsoft on Wednesday announced a deal to have Deutsche Telecom build two data centres next year for its Azure and Office cloud services in Germany. The telco would become the data trustee, in effect the controller of European customer data held in the centres. Microsoft, according to a report in the Financial Times, couldn’t access the data without the telco's permission – so, in theory it wouldn't control the data.
This would appear to be a way to block the U.S. Justice department, which says American law gives its courts the power to tell American companies to hand over information in their control, no matter where it is in the world.
In one case, Microsoft has been resisting an attempt to subpoena email of a customer held in one of the software company's data centres in Ireland, arguing the court order would extend U.S. law outside its boundaries. An appeal court decision is expected soon.
The deal also comes after a decision last month by the Court of Justice of the European Union that invalidates the EU-U.S., privacy safe harbor agreement. That agreement allows the transfer of personal data to the U.S. from European Union countries if it is adequately protected. The court also said EU supervisory data authorities could review whether non-EU countries – such as the United States – provide adequate protection to personal data transferred to it.
That could be touchy in light of the revelations of former NSA consultant Edward Snowden of the ability of the NSA to crack protected data.
Microsoft CEO Satya Nadella told the Financial Times the goal of the Deutsche Telecom deal is to "earn both trust of our global customers and operate globally."
With that safe harbor agreement struck down, personal data can’t be moved across the Atlantic.
As Toronto lawyer privacy Barry Sookman of McCarthy Tetrault noted in a blog last month, that court decision has Canadian ramifications.
Multinational companies here have relied on the safe harbour provisions to transfer data from the EU to their American operations, he pointed out, as well as Canadian businesses which host EU data with service providers with operations in the U.S. or who outsource services to U.S. service providers for customers resident in the EU.
Would Microsoft strike a similar deal here? A number of Canadian service providers as well as U.S. companies like IBM have expanded their data centers to attract business from organizations worried about the U.S. reach – including Microsoft, which earlier this year announced plans to build new cloud data centres in Toronto and Quebec.
But Fraser, of McInnes Cooper, noted in an interview there are factors mitigating against it.
"When you look at it from a business point of view there has to be a business case for it, and it has to make financial sense. Certainly the European market its enormous, and a significant one for a company like Microsoft. On the other hand, an arrangement like this is expensive. It interposes a middleman who takes a piece of the profit. If the data centre is owned by Deutsche Telecom or a subsidiary, that's a significant capital expenditure on behalf of that partner. The question is whether the market in Canada would bear that."
He also pointed out Microsoft's European customers reportedly will be charged an extra fee if they want their data stored in the Deutsche Telecom data centers rather than Microsoft's other European facilities.
Still, he expects Microsoft is looking at all its options around the world. So are probably other content and cloud providers with data centres outside the U.S.
Fraser also noted British Columbia came up with a similar solution several years ago when public service workers objected to the government outsourcing health care claims data to a U.S.-owned company. There were fears the U.S. could access the data under a court order or the U.S. Patriot Act.
The province amended its privacy act so public bodies couldn’t allow personal information of B.C. residents to be stored or accessed outside Canada, he noted. It also put in place a trust structure so if the U.S. parent received a disclosure order ownership of its Canadian subsidiary would be transferred to the province.
He also pointed out that the U.S. law isn’t unique. Canada's Income Tax Act also gives the government the right to get a subpoena ordering companies here to hand over any company records it can access to Revenue Canada.
Fraser also explained there are many ways the U.S. can get access to data here, including the Mutual Assistance and Criminal Matters Act, which allows the Canadian government to get a court order to enforce a U.S order.
