Controlled Goods Data: Overview of the Regulatory Framework

Guidance on Cloud Storage and Transfers of Controlled Goods Data

The Government of Canada has published guidance on the use and provision of cloud services for storing and transferring controlled goods data. Such guidance provides that CGP registrants are responsible to ensure that cloud services, including for storing and processing controlled goods data, are appropriate for their business activities, while cautioning that security controls over such services should be regularly reviewed and continuously monitored to manage security risks. CGP registrants should consider whether their existing cybersecurity protocols and procedures are up to date and sufficiently robust.

While questions remain, the Canadian government guidance provides a roadmap for compliance with the Act and Regulations, and answers certain key questions which may be of interest to users and providers of cloud services.

The following questions and answers explore some of the practical implications of Canada’s treatment of controlled goods data stored in the cloud:

Can controlled goods data be stored in the cloud?

Yes. CGP registrants may store controlled goods data in the cloud, subject to compliance with the Act and Regulations, including subsection 37(2) of the Act, which prohibits CGP registrants from knowingly transferring controlled goods to, or permitting their examination by, a person who is not registered or is exempt from registration. Practically, this means that in addition to ensuring that appropriate data security controls are in place, organizations intending to use cloud services to store, process or transfer controlled goods data should ensure that their cloud services provider (CSP) is a CGP registrant to avoid unauthorized access to controlled goods data and therefore breaches of, and penalties under, the Act. A list of Controlled Goods Program registrants, including registered cloud service providers, is available online.

Do CSPs providing cloud services for storing and transferring controlled goods need to be program registrants?

Yes. Registrants are prohibited under the Act from knowingly transferring controlled goods to, or permitting their examination by, a person who is not registered or exempt from registration. Accordingly, any CSP intending to provide cloud services for storage of controlled goods data should be registered in the CGP and should ensure that its personnel or employees have appropriate security status as required by the Act and Regulations. Likewise, CGP registrants intending to use cloud services to store and/or transfer controlled goods data should be vetting CSPs accordingly.

Does cloud-stored controlled goods data need to be located within Canada?

While certain data residency requirements apply to CGP registrants, storage of controlled goods data outside Canada is not prohibited. The export of controlled data is subject to Canada’s export control regime under the Export and Import Permits Act. Global Affairs Canada must be consulted for any applicable export licensing requirements with respect to data to be stored on servers located outside of Canada. Given the complexity of the export control regime, storage of controlled goods data outside of Canada may require multiple licenses.

Does controlled goods data need to be encrypted?

Yes. PSPC requires that registrants ensure controlled goods data in the cloud is encrypted both when it is stored and when it is transferred (i.e. end-to-end encryption). However, encryption alone is insufficient to comply with the restrictions under the Act and Regulations on unauthorized access to controlled goods. CSPs must also be registered in the CGP.

Can any employee of a CGP registrant organization access controlled goods data?

No. CGP registrants must ensure that access to cloud-stored controlled goods data is restricted only to employees (including IT staff who have access to cloud storage) who have undergone a security assessment in accordance with the Regulations. Any such access should be granted only via a secure system with strict access controls. This effectively imposes additional obligations on CSPs to, and on organizations using cloud services to ensure that CSPs, implement robust internal security protocols.

What reporting and record keeping obligations apply to storage of controlled goods data in the cloud?

Companies storing controlled goods data in the cloud are subject to the same reporting and record keeping obligations as any other CGP registrant, including, but not limited to, maintenance of detailed records with respect to controlled goods data received and/or transferred by the CGP registrant, the manner of such receipt and/or transfer, implementing security assessments and preserving supporting documentation, and reporting any actual or potential security breaches to the Minister of Government Transformation, Public Works and Procurement. CGP registrants are also required to maintain a security plan setting out procedures for the management of controlled goods and for reporting on and investigation of security breaches in respect of each place of business in Canada where controlled good are kept. Records are subject to audits by the Minister of Government Transformation, Public Works and Procurement. CGP registrants must implement systems and protocols for reporting and record keeping both to ensure compliance with the Act and Regulations, and to maximize safeguards of their controlled goods.

Guidance Gaps

As a relatively new and evolving technology, particularly as used for storage and transfers of controlled goods data, certain questions and issues remain to be fully addressed by Canadian government guidance and perhaps even the Act and Regulations themselves.

Cross-border transfers of controlled goods data are subject to export licensing requirements. The particulars of those requirements and the process for satisfying them are not fully addressed in the Act, the Regulations or available guidance. Further details and public written guidance with respect to the export licensing process and steps CGP registrants might take to protect controlled goods data that is transferred across borders would be helpful.

Unlike the United States’ International Traffic in Arms Regulations (ITAR) which provides a limited carve-out for foreign storage of encrypted controlled data, in Canada it remains unclear as to whether end-to-end encryption may mitigate any controlled goods data export concerns or what impact such encryption might have on export licensing requirements. Based on available information and our experience in this area, we would suggest that encryption has no mitigating effect from the Canadian government’s perspective, hence the requirement to contact Global Affairs Canada in connection with any export of controlled goods data.

Many cloud technologies automatically log information related to stored data for technical support and troubleshooting purposes. It is not clear based on existing Canadian government guidance whether such logs themselves comprise controlled goods data, whether keeping or disclosing such logs constitutes a “transfer” within the meaning of the Act and Regulations, and therefore whether access to such logs needs to be restricted to comply with the Act and Regulations. It is likely that the determination of whether any such log constitutes controlled goods data, and therefore whether restrictions under the Act and Regulations apply to it, will depend on the type of information the log contains. However, the prudent approach would be to treat all such logs as controlled goods data until the Canadian government provides guidance to the contrary.

Features such as anti-malware, indexing, or other similar automated content processing features implemented into cloud systems may require access to stored data to complete their functions. Existing guidance is silent on whether such automated parsing would constitute “examination” within the meaning of the Act and Regulations, and therefore whether additional safeguards and restrictions apply. To the extent that such automated content processing features and related or derived information is accessible by individuals, it is likely that this would indeed constitute “examination”.

Watch this Space

Although some useful guidance on the use of the cloud for storage and transfer of controlled goods data is available, cloud data storage technology, like many other new and evolving technologies, is exposing the limits of existing regulations and safeguards, a trend that shows no signs of slowing. Companies and individuals storing controlled goods data in the cloud should take care in selecting a CSP and ensure that appropriate security protocols and procedures are in place to protect that data. Likewise, CSPs providing cloud services for the storage of controlled goods data should be familiar with the obligations and restrictions applicable to controlled goods to ensure that the cloud services they provide, and their related internal processes and features, are compliant. Given the highly sensitive nature and treatment of controlled goods in Canada, parties should err on the side of greater caution and security when selecting, implementing or providing cloud services for storing and transferring controlled goods data.

It is noteworthy in the context of this discussion that the Canadian government has publicly emphasized the importance of developing a sovereign cloud to, among other objectives, increase Canadian data security. Canadian sovereign cloud technology could provide clarity and solutions to the open questions and issues raised in this article. Interested parties should watch this space.

If you have any questions about the topics discussed in this article, Canada’s Controlled Goods Program generally, how the CGP applies to your organization or the development and implementation of cybersecurity strategies to protect your controlled goods data, please contact the authors.