Global Affairs Canada recently issued Notice to Exporters No. 1159 codifying its longstanding positions on controlled technology and Cloud computing. Historically, Canadian exporters have relied on Advisory Opinions to confirm the application of Canada’s export controls to Cloud computing and while this Notice provides long overdue public guidance on this issue, substantive guidance on SasS is noticeably absent.
What Exporters Need to Know
- This is the first guidance issued by Global Affairs Canada on use cloud computing in respect of controlled technology.
- The key factor in determining whether an export permit is required is whether there is a transfer of controlled technology/information from Canada to a foreign state. A transfer in these circumstances hinges on whether there is a “reasonable possibility” (defined by the guidance) that controlled technology may be accessed outside Canada.
- A transfer of controlled technology outside Canada requires an export permit.
- Foreign access to controlled technology via decryption keys, a lack of encryption and other security measures would be considered a transfer, requiring an export permit.
- Technology holders (the party uploading controlled technology to a cloud service provider server) are typically required to obtain the export permit (vis a vis the cloud service provider).
The Guidance
A key issue facing Technology Holders relying on the Cloud to store controlled information and technology is whether Cloud servers are located outside Canada, and if so, how that information and technology may be “accessed” outside Canada. While the Export and Import Permits Act refers to exports as “transfer(s)” of technology, this is a question of “access” and is referred to by GAC in the Guidance as “disclosure” – a transfer resulting in controlled information being accessed outside Canada.
Controlled technology is “disclosed” only where there is a “reasonable possibility” that a person outside Canada is in a position to access the controlled technology. GAC defines “reasonable possibility” as something more than a mere possibility, but less than the standard of more likely than not. This mean that there is “more than a remote possibility” that controlled technology can be accessed outside Canada in a “useable form”. Disclosure will arise where direct access is possible, or (e.g.) where a person holds decryption keys. If there is a reasonable possibility of disclosure, there is a transfer of controlled technology and an export permit is required.
GAC encourages Technology Holder exporters to undertake a risk analysis to determine whether there is a reasonable possibility of disclosure. This risk analysis is fact-specific, and changing circumstances (e.g. a new Cloud Service Provider (CSP)) will trigger a new risk analysis.
In conducting a risk analysis, a Technology Holder should consider the following:
- The location of the export destination server and whether local laws make unauthorized access more than a remote risk
- The data security measures implemented by a CSP
- Whether legal safeguards require a Technology Holder to be notified and permit challenges to access by a foreign authority
- Whether customer-managed encryption keys are stored in Canada and if they are managed so that decryption cannot be unilaterally performed by persons outside Canada
- Whether a CSP’s encryption algorithms and key management practices meet recognized industry standards
- Whether Key material is held and protected exclusively in Canada under the control of a Canadian resident
- Whether key rotation, revocation, and access logging are implemented and reviewed
- Whether safeguards are in place such as network segmentation, access controls, and monitoring
Technology Holders should also ask themselves the following questions to determine whether a transaction indicates access to controlled technology:
- Is the data held in a form, or for a duration, that makes human access technically possible?
- Does anyone have the ability to access or decrypt the data, including CSP administrators or contractors located outside Canada and if so, are there sufficient technical and process controls so that access outside of Canada is not reasonably possible?
- Are there contractual or technical safeguards that preclude or strictly limit access from outside Canada?
Importantly, the guidance addresses the unique compliance relationship between a CSP and a Technology Holder. The Technology Holder is typically the exporter, but is relying on CSP’s security protocols to ensure that an export permit is not required. While a Technology Holder is required to complete due diligence on a CSP to ensure that there is no risk of disclosure, a CSP must properly represent their security practices. In reviewing a use agreement, a Technology Holder should consider representations regarding encryption, access management, network security and logging.
Finally, the guidance provides six helpful fact scenarios to illustrate when an export permit is required in situations of a transfer of controlled technology or where no export permit is required because there is no transfer of controlled technology. The scenarios are summarized in the following chart:
| Transfer – Export Permit Required | No Transfer – No Export Permit Required |
| Persons outside Canada hold decryption keys or have routine access rights permitting data viewing or a remote possibility that the technology may be examined. | Controlled technology is moved from a server in Canada to a server located in a foreign country using industry-standard strong encryption where the key is managed ensuring that there is no remote possibility the technology could be examined by persons outside Canada. |
| Controlled technology is moved to a foreign server and is not safeguarded from disclosure (e.g. the CSP does not use industry-standard strong encryption and identity and access management). | A person outside Canada uploads controlled technology to a Canadian CSP’s server located in Canada using industry-standard strong encryption. This controlled technology is only accessed from outside Canada and the Canadian CSP cannot examine the controlled technology located on their server. |
| A CSP creates an unencrypted disaster recovery snapshot containing controlled technology stored on its servers, and that snapshot is stored on servers outside Canada with access by foreign administrators. | Controlled technology held in a sufficiently encrypted format on a server outside Canada is momentarily decrypted through non-human intervention — such as to accomplish a software function (e.g., spell-check, translation, formatting), or for automated processing in AI/ML or GPU workloads — and held on a closed system (meaning no human access is possible) where all unencrypted copies are destroyed and no disclosure or further use occurs. |
| A person normally resident in Canada travels outside Canada and accesses their employer’s cloud environment containing controlled technology that is uploaded to a Canadian server. | A person normally resident in Canada travels outside Canada and does not access their employer’s cloud environment containing controlled technology that is uploaded to a Canadian server, nor do they provide it to another person. The traveller additionally takes measures to protect controlled technology from disclosure (e.g. maintains control of their devices/accounts/credentials, uses multi-factor authentication, and is aware of destination-specific risks which may include compelled disclosure). |
