Evidence of meeting #74 for Industry, Science and Technology in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was irap.
A recording is available from Parliament.
4:45 p.m.
NDP
Hélène LeBlanc NDP LaSalle—Émard, QC
Is there an incentive, do you think, in the role for the company, the Internet wireless company, to build in regions that are not as lucrative, maybe, as the urban areas?
4:45 p.m.
Director, Public Sector, Canadian Cloud Council
Spectrum is not necessarily something I've been following in detail.
4:45 p.m.
NDP
Hélène LeBlanc NDP LaSalle—Émard, QC
I was going to ask if you think the industry committee should have a study to see if those rules will provide access to Internet in all regions of Canada and drive innovation.
4:50 p.m.
NDP
4:50 p.m.
Conservative
4:50 p.m.
Conservative
Peter Braid Conservative Kitchener—Waterloo, ON
That would be most out of character for you to do that, to be impolite.
4:50 p.m.
Conservative
The Chair Conservative David Sweet
We're going to go to four minutes now, so we can get Mr. Regan in.
Mr. Braid, go ahead for four minutes.
4:50 p.m.
Conservative
Peter Braid Conservative Kitchener—Waterloo, ON
I want to continue the discussion around cloud computing and then come back to DTAPP if I still have time.
Mr. Cousens, I noticed that your smart phone was from a fruit company and not from BlackBerry, but I won't mention that.
With respect to the Canadian risk aversion we've been talking about, which can be both a good thing and a not-so-good thing depending on the context, if the risk aversion in Canada with respect to cloud computing relates primarily to concerns regarding security or privacy, and I know we've touched on that, are you satisfied that you and Mr. Kratz fully addressed that so far today or would you like to address that issue again and fully?
4:50 p.m.
Director, Public Sector, Canadian Cloud Council
I would say if we looked at what the U.K. has just done within the legal framework, the privacy and data protection framework of the EU, there must be some incredible learning to take away from there. If they can do it, I'm not sure why Canada can't do it, because they have a framework that is very robust compared to some of the other nations that are doing this.
Martin.
4:50 p.m.
Chairman of the Board, Canadian Cloud Council
I would agree with those comments. I think we have the legal framework in place in Canada to move forward, to allocate responsibilities, and to motivate good practices. As well, we have reputable vendors able to respond to customers' needs and to address these responsibilities.
4:50 p.m.
Conservative
Peter Braid Conservative Kitchener—Waterloo, ON
Great.
You've mentioned the U.K., and in your presentation you talked about the status of cloud computing in the U.S., Australia, and New Zealand. Any government with an advanced economy is equally concerned about privacy and security. What have these countries done that we haven't done to overcome this issue or this obstacle?
4:50 p.m.
Director, Public Sector, Canadian Cloud Council
Martin hosted a panel at our last conference in Banff in March. It was a panel of his peers, mostly lawyers who know this issue to a t. It was fact based. It was unemotional. I found it interesting, but some were a little bit bored by it. It was a practical discussion. It drove out and got to the facts. It removed emotion and parked it at the door. I thought it was one of the best discussions on how to address this issue.
I'll put it back to Martin, and he can summarize his findings, because he assembled the panel of experts to have that dialogue regarding the barriers for Canada.
4:50 p.m.
Chairman of the Board, Canadian Cloud Council
I would suggest the barrier isn't a legal barrier. It isn't in the nature of security systems. It isn't in the nature of our privacy regime. It's in the less enthusiastic or risk-averse nature of many of our companies that tend not to want to be the first to try something new, but rather want to wait until something is well established. That's the difficulty I would suggest for Canada. It's not in the technology. As you heard from Mr. Cousens, we have Canadian companies developing and leading innovation in the security field. We have leading suppliers of wireless products who have very secure networks that are able to support mobile cloud applications. It's a question of showing leadership.
I would reinforce that I think the premise of Mr. Cousens' presentation is really the benefit that we see out of the U.K. in the g-cloud initiative. What's being proposed for Canada is to have the government show leadership by becoming a consumer of cloud-based services and thereby helping the small and medium-sized enterprises to appreciate that these risks are manageable and that they can be addressed in a very regularized way.
4:50 p.m.
Conservative
The Chair Conservative David Sweet
Thank you very much, Mr. Kratz and Mr. Braid.
Now to Mr. Carmichael for four minutes.
4:50 p.m.
Conservative
John Carmichael Conservative Don Valley West, ON
Thank you, Mr. Chair.
I'd like to follow up on Ms. Gallant's and Mr. Braid's questions.
Mr. Kratz, you talk about our society as being risk averse. I understand that. As Canadians, we're all very conservative in our thinking, and I use that term in a liberal way.
In another study that was done not too long ago we talked about data warehouses, aggregators, and that most of them are located in the U.S., as an example. One of the concerns we heard and that I came away with.... Today, in listening to the CSPs, and as you talk about it, I think it goes beyond risk aversion. I think we're in a litigious society. We have concerns about that data. I, as an SME, am storing my customers' data. That customer data is being warehoused somewhere in the U.S., perhaps, through a CSP. How secure is it?
I understand your point on the risk aversion, but as a small business.... Certainly, when you start talking to government about becoming a major user of the product, how secure is it? How much assurance can we have that we're going to be able to preserve the privacy of that data?
4:55 p.m.
Chairman of the Board, Canadian Cloud Council
Thank you for that question.
I think to answer the question it helps to look fundamentally at what cloud computing is. It's basically a way to offer a flexible, elastic service on a utility basis. It's a standardized service provided to many customers. Those customers are demanding high levels of accountability on issues such as data protection, including privacy legal obligations as well as security obligations.
When there is a failure or breach, we read about it in the papers. There's tremendous motivation by this industry to get this right. The issue is to look at who the cloud vendors are, to look at their meeting of internationally accepted common standards for security and privacy protection, and to hold them to account on that. One of those mechanisms is to have an audit mechanism so that the customer, the SME or the government customer, is able to monitor proper care and handling of data, including personal information.
4:55 p.m.
Director, Public Sector, Canadian Cloud Council
The Ontario government has implemented a program, privacy by design. It's out of the office of the Information and Privacy Commissioner of Ontario, Ann Cavoukian. It walks through a fact-based process that allows both government and agencies that want to use cloud computing.... It says, “Here are the regulatory requirements. Report on them.”
Many have gone through this within the Ontario government and have come out the other end saying they are able to use some of these services that are available.
4:55 p.m.
Conservative
4:55 p.m.
Conservative
John Carmichael Conservative Don Valley West, ON
In that case, has the Ontario government mandated that the data warehousing or the storage of that data for PIPEDA and for all the other security mechanisms we require be in Canada?
4:55 p.m.
Chairman of the Board, Canadian Cloud Council
I'll speak to that.
The Ontario government has not mandated that the data be in Canada. Rather, it looks to a due diligence process around the quality of the service providers and holds them to account to ensure adequate control and security for the protection of the data.