Staff and students at Lakehead University had been told not to
send private data over the system, prompting staff to lodge an
official grievance against the university over the outsourcing of
its email infrastructure to Google systems that pass through the
US.
Staff have complained that the fact that their emails are routed
through the US means that their contents are vulnerable to
interception by US authorities.
A Canadian privacy lawyer who specialises in cross-border data
transfers to the US told technology law podcast OUT-LAW Radio that there was cause for
concern.
"I think the big concern with the Patriot Act is that certain
demands and certain searches that used to require a warrant from a
court and therefore were subject to court oversight and supervision
now can be done with something similar to an administrative
subpoena, something called a national security letter," said David
Fraser of law firm McInnes Cooper in Canada.
"There is also a gag order that goes along with it so that the
custodian of the information is not allowed to tell anyone that the
demand has been made," he said.
The Lakehead University dispute has raised the issue of whether
or not personal data should be entered into systems which are based
in the US.
Fraser said that a number of Canadian provinces have in recent
years introduced laws preventing public bodies from transferring
personal data outside the country.
Technologies such as Google Docs, a word processing and
spreadsheet on-demand software service, are introducing individuals
and small firms to remote data processing, which previously was the
preserve of major companies which outsourced data processing on a
large scale.
William Malcolm, a data protection specialist with Pinsent
Masons, the law firm behind OUT-LAW.COM, said that UK companies who
want to send employee or customer data outside the European
Economic Area must make sure that the information will be as safe
there as it is in the European Union.
"In essence what the [Data Protection] Act is trying to achieve
is to make sure that data doesn't go to countries or territories
which provide safeguards which are lesser than those which are
provided in the European Union," said Malcolm.
If companies are transferring data from the EU to the US they
must find a means of complying with the obligations imposed by EU
law. These include consent, binding corporate rules, binding
contractual clauses and a Safe Harbor deal. [See: OUT-LAW's legal
info on overseas transfers of personal
data.]
But Malcolm warned that with or without such a means of
compliance, any data held in the US will be subject to that
country's laws, and will be as obtainable under the Patriot Act as
any other data in the US.
If local US laws give organisations and public authorities the
ability to require organisations holding data in their territory to
make disclosures then there's very little that can be done to stop
that," he said. "The fact of the matter is once the data's there if
it can be accessed locally, legitimately under local laws there is
very little you can do to prevent that."
x
