Out-Law News | 28 Mar 2008 | 10:07 am | 2 min. read
Staff and students at Lakehead University had been told not to send private data over the system, prompting staff to lodge an official grievance against the university over the outsourcing of its email infrastructure to Google systems that pass through the US.
Staff have complained that the fact that their emails are routed through the US means that their contents are vulnerable to interception by US authorities.
A Canadian privacy lawyer who specialises in cross-border data transfers to the US told technology law podcast OUT-LAW Radio that there was cause for concern.
"I think the big concern with the Patriot Act is that certain demands and certain searches that used to require a warrant from a court and therefore were subject to court oversight and supervision now can be done with something similar to an administrative subpoena, something called a national security letter," said David Fraser of law firm McInnes Cooper in Canada.
"There is also a gag order that goes along with it so that the custodian of the information is not allowed to tell anyone that the demand has been made," he said.
The Lakehead University dispute has raised the issue of whether or not personal data should be entered into systems which are based in the US.
Fraser said that a number of Canadian provinces have in recent years introduced laws preventing public bodies from transferring personal data outside the country.
Technologies such as Google Docs, a word processing and spreadsheet on-demand software service, are introducing individuals and small firms to remote data processing, which previously was the preserve of major companies which outsourced data processing on a large scale.
William Malcolm, a data protection specialist with Pinsent Masons, the law firm behind OUT-LAW.COM, said that UK companies who want to send employee or customer data outside the European Economic Area must make sure that the information will be as safe there as it is in the European Union.
"In essence what the [Data Protection] Act is trying to achieve is to make sure that data doesn't go to countries or territories which provide safeguards which are lesser than those which are provided in the European Union," said Malcolm.
If companies are transferring data from the EU to the US they must find a means of complying with the obligations imposed by EU law. These include consent, binding corporate rules, binding contractual clauses and a Safe Harbor deal. [See: OUT-LAW's legal info on overseas transfers of personal data.]
But Malcolm warned that with or without such a means of compliance, any data held in the US will be subject to that country's laws, and will be as obtainable under the Patriot Act as any other data in the US.
If local US laws give organisations and public authorities the ability to require organisations holding data in their territory to make disclosures then there's very little that can be done to stop that," he said. "The fact of the matter is once the data's there if it can be accessed locally, legitimately under local laws there is very little you can do to prevent that."