Media Releases

Outsourcing Canadian data to the ‘cloud’? Think again.

September 14, 2015

U of T researchers challenge faulty bases for previous outsourcing decisions

TORONTO, ON – Think­ing of out­sourc­ing Cana­di­ans’ per­son­al data to the cloud? Find­ing the appar­ent cost sav­ings and con­ve­nience of large US cloud ser­vice providers like Microsoft and Google increas­ing­ly irre­sistible? Already tak­en this step, believ­ing that the pri­va­cy risks of doing so are com­pa­ra­ble to the data remain­ing in Cana­da? Think again.

Researchers from the Uni­ver­si­ty of Toron­to have found that if you are stor­ing, pro­cess­ing and/or rout­ing data in the cloud out­side of Cana­di­an juris­dic­tion, that data los­es impor­tant Cana­di­an legal and con­sti­tu­tion­al pro­tec­tions. Their find­ings raise seri­ous con­cerns about the pri­va­cy of our data in the cloud, includ­ing children’s data, time­ly giv­en yesterday’s announce­ment that Nova Sco­tia is mov­ing its entire K‑12 school sys­tem to Google Apps for Edu­ca­tion.

The results of the year­long study are report­ed in See­ing Through The Cloud: Nation­al Juris­dic­tion and Loca­tion of Data, Servers, and Net­works Still Mat­ter in a Dig­i­tal­ly Inter­con­nect­ed World.

A press con­fer­ence will be held tomor­row from 12–12:15 at the open­ing of the launch event for the report. The report will be released to the pub­lic at that time along with four sup­port­ing reports co-authored with con­tribut­ing researchers on our pub­lic web­site: The exec­u­tive sum­ma­ry and table of con­tents are already avail­able for down­load.

To receive an embar­goed copy of the report in advance, please con­tact our event orga­niz­er, Ms. Susie Col­bourn ( For oth­er inquiries, please con­tact the Prin­ci­pal Inves­ti­ga­tor, Hei­di Bohak­er at


WHAT: Press Con­fer­ence, fol­lowed by launch and dis­cus­sion of See­ing Through the Cloud, with brief intro­duc­tions by Lisa Austin, Hei­di Bohak­er, Andrew Clement and Stephanie Per­rin. Light lunch pro­vid­ed.

WHEN: PRESS CONFERENCE: Tues­day, Sep­tem­ber 15, 12–12:15 pm.

WHERE: Sid­ney Smith Hall Room 2098, 100 St. George St. Uni­ver­si­ty of Toron­to.



The report’s find­ings are espe­cial­ly time­ly in light of the recent dis­clo­sures of the extra­or­di­nary scope and ques­tion­able law­ful­ness of the mass sur­veil­lance pro­grams con­duct­ed by the US Nation­al Secu­ri­ty Agency (NSA).

As Pro­fes­sor Andrew Clement notes “The Snow­den rev­e­la­tions of mass gov­ern­ment sur­veil­lance mean that Cana­di­an orga­ni­za­tions should not out­source the han­dling of our per­son­nel, con­fi­den­tial or oth­er sen­si­tive infor­ma­tion to US com­pa­nies like Microsoft or Google. Instead, we should be strength­en­ing Cana­di­an inter­net infra­struc­ture so we can keep domes­tic data more local, pro­tect­ing it bet­ter while improv­ing net­work effi­cien­cy and per­for­mance.”

Pro­fes­sor Hei­di Bohak­er says that, as a his­to­ri­an “I think of eCom­mu­ni­ca­tions sys­tems as rich infor­ma­tion archives of con­ver­sa­tions and ideas that are inter­nal to orga­ni­za­tions and inter­nal to schools. Why should this pri­vate data be stored out­side of Cana­da?” In addi­tion to per­son­al infor­ma­tion, these sys­tems con­tain ideas in devel­op­ment, intel­lec­tu­al prop­er­ty, strate­gic plan­ning, con­fi­den­tial edu­ca­tion­al, employ­ee med­ical and per­for­mance issues and research and devel­op­ment data that deserve our high­est stan­dards of pri­va­cy pro­tec­tion.”

Pro­fes­sor Lisa Austin points out that “Under the Cana­di­an Char­ter of Rights and Free­doms, the ques­tion is nev­er whether the state can access per­son­al infor­ma­tion but rather what kinds of pro­tec­tions should gov­ern the terms of that access (such as the require­ment of a war­rant on rea­son­able and prob­a­ble grounds). This con­sti­tu­tion­al ques­tion needs to be asked when com­par­ing pri­va­cy pro­tec­tions across juris­dic­tions.”

Ms. Stephanie Per­rin, one of the report’s co-authors, notes that “we must exert more con­trol over trans­bor­der dataflow if we hope to man­age ubiq­ui­tous cloud com­put­ing and pre­serve our pri­va­cy rights… Those who stud­ied this issue in the 1970s and 1980s not only pre­dict­ed the devel­op­ment and growth of these new net­worked tech­nolo­gies, they also cor­rect­ly iden­ti­fied the risks of data cap­tured by for­eign gov­ern­ments and oth­er non-state actors.” Ms. Per­rin is a doc­tor­al can­di­date at the Uni­ver­si­ty of Toron­to. She is also rec­og­nized as an inter­na­tion­al expert in pri­va­cy and data pro­tec­tion and has served in sev­er­al posi­tions in the Cana­di­an Gov­ern­ment, includ­ing as Direc­tor of Research and Pol­i­cy in the Office of the Pri­va­cy Com­mis­sion­er.

The See­ing Through the Cloud report is already gar­ner­ing sup­port and praise from inde­pen­dent legal, pri­va­cy and sur­veil­lance experts.

Heather Black, for­mer Assis­tant Pri­va­cy Com­mis­sion­er for Cana­da, and author of one of the ear­ly deci­sions used in jus­ti­fy­ing cur­rent out­sourc­ing deci­sions: “In their excel­lent paper on Why Juris­dic­tion Still Mat­ters, Lisa Austin and Daniel Carens-Nedel­sky have argued that the “sim­i­lar risk” analy­sis as applied in the CIBC Visa case is wrong and that it should not be relied upon by the uni­ver­si­ties… In light of the Snow­den rev­e­la­tions I believe it would be fool­ish indeed to blind­ly fol­low the CIBC Visa “prece­dent” espe­cial­ly when the per­son­al infor­ma­tion at stake is some­thing as sen­si­tive as emails. ”

Pro­fes­sor Col­in Ben­nett, a Polit­i­cal Sci­en­tist and pri­va­cy expert, Uni­ver­si­ty of Vic­to­ria: “The Report “See­ing through the Cloud” should remind us what a fun­da­men­tal­ly mis­lead­ing con­cept “cloud-com­put­ing” actu­al­ly is… Based on detailed legal analy­sis, care­ful empir­i­cal inves­ti­ga­tion into out­sourc­ing by Cana­di­an uni­ver­si­ties, this report reminds us that juris­dic­tion mat­ters, the rout­ing of com­mu­ni­ca­tions mat­ters, and nation­al laws still mat­ter.”

Vin­cent Mosco, Pro­fes­sor Emer­i­tus of Soci­ol­o­gy and for­mer Cana­da Research Chair in Com­mu­ni­ca­tion and Soci­ety, Queen’s Uni­ver­si­ty: “This project makes an impor­tant con­tri­bu­tion to Cana­di­an research and pol­i­cy analy­sis on a sig­nif­i­cant, but poor­ly under­stood, area of the online world. As it con­vinc­ing­ly demon­strates, there are sig­nif­i­cant pri­va­cy impli­ca­tions in the move­ment of data to the Cloud and while it is some­times less expen­sive to locate data out­side Cana­da, there is con­sid­er­ably greater pri­va­cy pro­tec­tion for data that remains in Cana­da. In order to save mon­ey, insti­tu­tions like uni­ver­si­ties are plac­ing the records of employ­ees and stu­dents at great risk by mov­ing it to for­eign servers.”

David Lyon, Pro­fes­sor, Soci­ol­o­gy, Queen’s Uni­ver­si­ty: “This is a mod­el of good report-writ­ing… The key find­ing is that local juris­dic­tions do cre­ate dif­fer­ent sit­u­a­tions — the idea that ‘sim­i­lar risks’ occur wher­ev­er you live is sim­ply misleading…This is not an argu­ment against using new dig­i­tal com­mu­ni­ca­tions but rather a plea that the poli­cies that shape their use be rec­og­nized and reformed to offer gen­uine pro­tec­tions where they are most need­ed.”

This project has been fund­ed by the Office of the Pri­va­cy Com­mis­sion­er of Cana­da (OPC); the views expressed here­in are those of the author(s) and do not nec­es­sar­i­ly reflect those of the OPC.

- 30 -

Avail­able to media:
Hei­di Bohak­er, His­to­ry, [will call back medi­ain response to emailed request]
Andrew Clement, Infor­ma­tion, , 778–354-3000

Addi­tion­al con­tacts:
Lisa Austin, Law,
Stephanie Per­rin, Infor­ma­tion,
Uni­ver­si­ty of Toron­to

Exter­nal Review­ers

Heather Black, For­mer Assis­tant Pri­va­cy Com­mis­sion­er for Cana­da,

Prof. Col­in Ben­nett, Polit­i­cal Sci­ence,
Uni­ver­si­ty of Vic­to­ria

Prof. Emer. Vin­cent Mosco, Soci­ol­o­gy,
Prof. David Lyon, Soci­ol­o­gy,
Queens Uni­ver­si­ty

To RSVP for the See­ing Through the Cloud launch event on Sep­tem­ber 15, please con­tact: