Latest news with #MichaelGeist
Medscape
05-08-2025
- Health
- Medscape
Keep Canada's Health Data Safe and in Canada, Experts Say
Canada must move quickly to safeguard its health data, experts say, adding that the need has become urgent in today's changing political climate. 'Health data are critical to health systems in Canada, but the potential of these data to be accessed and used by foreign entities for surveillance purposes without consent is concerning,' Michael Geist, professor of law and Canada research chair of internet and e-commerce law at the University of Ottawa, Ottawa, and coauthors wrote in a commentary published on July 28 in the Canadian Medical Association Journal. Kumanan Wilson, MD 'Health data are going to be extremely valuable going forward, not just for the provision of care, but also for the emerging health artificial intelligence [AI] industry,' co-author Kumanan Wilson, MD, CEO of Bruyère Health Research Institute and internal medicine specialist at the Ottawa Hospital, Ottawa, told Medscape Medical News . A Multipronged Approach Canada's health system mostly relies on US providers to manage electronic medical record systems for hospitals. These providers store encrypted data on servers that, though in Canada, are owned by US companies. 'We need to develop a sovereign Canadian cloud server, and that will take time, because it will have to provide the same functionality as the American servers. Those companies are giants because they are very good at what they do. Our ability to meet the standards that they provide is not here now,' he added. The US currently can use Canadian health data. 'For example, the recent US Clarifying Lawful Overseas Use of Data Act allows US law enforcement to access data held by US companies in other countries and could be a threat. We would rather see the US be unable to use our data. Canadian companies must have access in a privacy-secure way to support Canadian industry,' said Wilson. 'We also need to have AI algorithms that are based on our population. We can't be importing an algorithm built in the US and applying it to the Canadian population, because it's not the same as our population,' Wilson added. The authors suggest the following multipronged approach to addressing these issues: Ensure that health data are secure by requiring encryption by default. Require health data to be hosted on Canadian soil. Strengthen Canadian privacy laws against the disclosure of data to foreign countries without consent. Invest in and support the creation of Canadian cloud servers to ensure that data are held in Canada by Canadian providers. Encryption: No Panacea Victoria Lemieux, PhD, professor of archival science at the University of British Columbia in Vancouver, agrees that Canadian health data must be protected. But she is not convinced by the solutions that the authors have proposed. Victoria Lemieux, PhD 'Encryption does not solve the problem entirely, as we are now on the brink of quantum computing that has the potential to break standard encryption,' Lemieux told Medscape Medical News . 'Overreliance on encryption as a solution risks overlooking the need to ensure that all encryption used is quantum-safe. Rather than recommending encryption as a solution, I would prefer to see a recommendation that a range of privacy-enhancing technologies be employed to protect our health and other data,' Lemieux said. However, she does support investment in a Canadian cloud infrastructure. 'We face the same issue that Europe does, since we have become overly reliant on US technology firms. If we don't hold and store the data in Canada on Canadian servers run by Canadian companies, then we aren't really in control,' said Lemieux. 'A partnership with European cloud providers might help us move away from our reliance on US tech and help us develop secure and scalable alternatives.' Health data can be kept in the locations where it originates and be shared freely, when necessary, Lemieux continued. 'I have developed such technology, which currently is applied to archives and cultural heritage, but there's no reason it cannot be applied in healthcare as well.' But focusing on cloud technology development overlooks Canada's overreliance on US tech firms for AI, Lemieux noted. 'We need to ensure that the models we are using preserve privacy, comply with our Canadian values and how we want our data to be used, and do not divulge sensitive Canadian data to unauthorized parties,' she said. 'AI bots, whether from the US, China, or elsewhere, should not be allowed to range freely over our data, extracting value and information that does not come back to benefit Canadians. We must do more to protect ourselves from these bad data practices,' Lemieux added. More protection in Canadian privacy laws about disclosure to foreign jurisdictions is needed, said Lemieux, but these laws must be strengthened for the digital age. 'A law is only as good as a government's willingness to enforce it. If we take the recent Canadian government's bowing down to the US on the Digital Services Tax [a 3% tax on certain revenues of large digital service providers], I question whether we have the geopolitical clout to enforce such laws. But that's not an argument not to put the laws in place. We're better with them than without them.'
31-07-2025
- Health
Canadians' health data at risk of being handed over to U.S. authorities, experts warn
Canadians' electronic health records need more protections to prevent foreign entities from accessing patient data, according to commentary in the Canadian Medical Association Journal. Canadian privacy law is badly outdated, said Michael Geist, law professor and Canada Research Chair in internet and e-commerce law at the University of Ottawa and co-author of the commentary (new window) . "We're now talking about decades since the last major change." Geist says electronic medical records systems from clinics and hospitals — containing patients' personal health information — are often controlled by U.S. companies. The data is encrypted and primarily stored on cloud servers in Canada, but because those are owned by American companies, they are subject to American laws. Enlarge image (new window) Michael Geist is a law professor at the University of Ottawa and Canada Research Chair in Internet and E-commerce Law. Photo: Submitted by Michael Geist For example, Geist points out, the U.S. passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act (new window) in 2018, which can compel companies to disclose customer information for criminal investigations, even if it's stored outside the United States. The law allows for bilateral agreements with the U.S. and other countries. Canada and the U.S. began negotiations (new window) in 2022. The companies have Canadian laws that may say they've got to provide appropriate protections for that data, Geist said. But they may have U.S. law that could compel them to disclose that information. Canada's laws, Geist says, have not yet found a way to respond to that. How health data could be used The CMAJ commentary says serious privacy, security, and economic risks arise when companies in other countries hold and use Canadian data. Among them, the authors point to the potential use of that information for law enforcement surveillance, or by private companies seeking to use the data to make money. Health data is deeply personal, and ongoing Canada-U.S. political tensions may cause some to be even warier about where and how their information is stored and used, says Lorian Hardcastle, assistant professor in the law faculty and Cumming School of Medicine at the University of Calgary. There is a compelling argument to be made to say, 'Well, you know, we just need to have this information stored in Canada and not have those dealings with American companies,' said Hardcastle. Aside from the CLOUD Act, another concern Geist lays out is the potential for foreign companies to profit off of Canadians' health data. With the growth of AI, Geist says that data has become increasingly valuable — a tremendous pool of information that could potentially be used to generate AI algorithms. (The cloud companies say their customers own and control their own data.) We should be the ones to benefit from that, Geist said. We should be the ones who are entitled to appropriate privacy protections. Enlarge image (new window) Dr. Sheryl Spithoff, with the family and community medicine department at the University of Toronto, says patient data needs additional protections. Photo: (Turgut Yeter/CBC) Dr. Sheryl Spithoff, an assistant professor at the University of Toronto, says these risks highlight how Canada's privacy laws fall short. This data is patient data. It belongs to patients. That should be used for reasons that are in their interests, that bring them benefit, that don't cause harm. Tech companies respond The CMAJ commentary says three U.S. cloud companies dominate: Google Cloud, Microsoft Azure and Amazon Web Services. Google told CBC News that customer data belongs to our customers, not to Google Cloud. It says, like many tech companies, it gets requests from governments and courts to disclose customer information, usually as part of criminal investigations. The company says it follows a transparent, fair, and thorough process to respond. It didn't comment specifically about Canadian health data. Google provides a response on a case-by-case basis, taking into account different circumstances and informed by legal requirements, customer agreements, and privacy policies, it said. We are committed to protecting privacy while also complying with applicable laws. Microsoft said that in the second half of 2022, of the nearly 5,000 demands for consumer data it received from U.S. law enforcement, 53 warrants sought content stored outside of the U.S. Microsoft's compliance team reviews government demands for customer data to ensure the requests are valid, rejects those that are not valid, and only provides the data specified in the legal order. Amazon said it does not disclose customer information in response to government demands unless we're required to do so to comply with a legally valid and binding order. In a statement, a spokesperson for Amazon Web Services wrote there have been no data requests to AWS that resulted in disclosure to the U.S. government of enterprise or government content data stored outside the U.S. since we started reporting the statistic. Limits to Canada's privacy laws Privacy experts say the failure of Canada's privacy laws to keep pace with changing technology has put the country's data sovereignty at risk. Geist says strengthening provincial laws and the federal Personal Information Protection and Electronic Documents Act, known as PIPEDA, could help create a guardrail against potential U.S. data requests reaching into Canada. In his commentary, Geist calls for stronger penalties for unauthorized disclosure of personal information without consent and guidance that foreign court orders related to Canadian data are unenforceable in Canada. Innovation, Science and Economic Development Canada says PIPEDA applies when transferring data across the border, but Geist says the law itself isn't robust enough. Geist also calls for the country to develop Canadian cloud servers for health data, and to ensure that data is hosted on Canadian soil. The wealth of health information generated by the health-care system should stay in Canada and benefit Canadians, Geist says. He and his co-authors see the potential for health AI algorithms to be developed in Canada by Canadian companies, with robust safeguards, to support health-care decisions based on data representative of Canada's population. Alison Northcott (new window) · CBC News · National Reporter Alison Northcott is a national reporter for CBC News in Montreal, covering health, business and politics. Born in Winnipeg, she is a graduate of Toronto Metropolitan University and has over 15 years experience in journalism. With files from Christine Birak and Melanie Glanz
CBC
31-07-2025
- Health
- CBC
Canadians' health data at risk of being handed over to U.S. authorities, experts warn
Canadians' electronic health records need more protections to prevent foreign entities from accessing patient data, according to commentary in the Canadian Medical Association Journal. "Canadian privacy law is badly outdated," said Michael Geist, law professor and Canada Research Chair in internet and e-commerce law at the University of Ottawa and co-author of the commentary. "We're now talking about decades since the last major change." Geist says electronic medical records systems from clinics and hospitals — containing patients' personal health information — are often controlled by U.S. companies. The data is encrypted and primarily stored on cloud servers in Canada, but because those are owned by American companies, they are subject to American laws. For example, Geist points out, the U.S. passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act in 2018, which can compel companies to disclose customer information for criminal investigations, even if it's stored outside the United States. The law allows for bilateral agreements with the U.S. and other countries. Canada and the U.S. began negotiations in 2022. The companies have "Canadian laws that may say they've got to provide appropriate protections for that data," Geist said. "But they may have U.S. law that could compel them to disclose that information." Canada's laws, Geist says, have not yet found a way to respond to that. How health data could be used The CMAJ commentary says "serious privacy, security, and economic risks arise when companies in other countries hold and use Canadian data." Among them, the authors point to the potential use of that information for law enforcement surveillance, or by private companies seeking to use the data to make money. Health data is deeply personal, and ongoing Canada-U.S. political tensions may cause some to be even warier about where and how their information is stored and used, says Lorian Hardcastle, assistant professor in the law faculty and Cumming School of Medicine at the University of Calgary. "There is a compelling argument to be made to say, 'Well, you know, we just need to have this information stored in Canada and not have those dealings with American companies,'" said Hardcastle. Aside from the CLOUD Act, another concern Geist lays out is the potential for foreign companies to profit off of Canadians' health data. With the growth of AI, Geist says that data has become increasingly valuable — a tremendous pool of information that could potentially be used to generate AI algorithms. (The cloud companies say their customers own and control their own data.) "We should be the ones to benefit from that," Geist said. "We should be the ones who are entitled to appropriate privacy protections." Dr. Sheryl Spithoff, an assistant professor at the University of Toronto, says these risks highlight how Canada's privacy laws fall short. "This data is patient data. It belongs to patients. That should be used for reasons that are in their interests, that bring them benefit, that don't cause harm." Tech companies respond The CMAJ commentary says three U.S. cloud companies dominate: Google Cloud, Microsoft Azure and Amazon Web Services. Google told CBC News that "customer data belongs to our customers, not to Google Cloud." It says, like many tech companies, it gets requests from governments and courts to disclose customer information, usually as part of criminal investigations. The company says it follows a "transparent, fair, and thorough process" to respond. It didn't comment specifically about Canadian health data. "Google provides a response on a case-by-case basis, taking into account different circumstances and informed by legal requirements, customer agreements, and privacy policies," it said. "We are committed to protecting privacy while also complying with applicable laws." Microsoft said that in the second half of 2022, of the nearly 5,000 demands for "consumer data" it received from U.S. law enforcement, 53 warrants sought content stored outside of the U.S. "Microsoft's compliance team reviews government demands for customer data to ensure the requests are valid, rejects those that are not valid, and only provides the data specified in the legal order." Amazon said it "does not disclose customer information in response to government demands unless we're required to do so to comply with a legally valid and binding order." In a statement, a spokesperson for Amazon Web Services wrote "there have been no data requests to AWS that resulted in disclosure to the U.S. government of enterprise or government content data stored outside the U.S. since we started reporting the statistic." Limits to Canada's privacy laws Privacy experts say the failure of Canada's privacy laws to keep pace with changing technology has put the country's data sovereignty at risk. Geist says strengthening provincial laws and the federal Personal Information Protection and Electronic Documents Act, known as PIPEDA, could help create a guardrail against potential U.S. data requests reaching into Canada. In his commentary, Geist calls for "stronger penalties for unauthorized disclosure of personal information without consent and guidance that foreign court orders related to Canadian data are unenforceable in Canada." Innovation, Science and Economic Development Canada says PIPEDA applies when transferring data across the border, but Geist says the law itself isn't robust enough. Geist also calls for the country to develop Canadian cloud servers for health data, and to ensure that data is hosted on Canadian soil. The wealth of health information generated by the health-care system should stay in Canada and benefit Canadians, Geist says. He and his co-authors see the potential for health AI algorithms to be developed in Canada by Canadian companies, with robust safeguards, to support health-care decisions "based on data representative of Canada's population."
Globe and Mail
02-07-2025
- Business
- Globe and Mail
How much longer will Ottawa keep blundering on tech policy?
Michael Geist holds the Canada Research Chair in internet and e-commerce law at the University of Ottawa's faculty of law. After years of dismissing the warnings of likely retaliation, the Canadian government caved to U.S. pressure earlier this week as it cancelled the digital services tax. Faced with the U.S. suspension of trade negotiations, Finance Minister François-Philippe Champagne announced that the government would rescind the legislation that created it. The government was in a no-win situation: stick with the DST but face the prospect of higher tariffs, or embarrassingly drop it (and lose the projected $7.2-billion in revenue over five years) before the U.S. would agree to restart negotiations. Given the importance of a broad-based trade deal with the U.S., cancelling the DST is understandable, even if it exposes Canada's weakness in the sprint toward a final trade agreement. But more troubling is what might be characterized as a different Canadian DST: digital strategy trouble. If the digital tax debacle sounds familiar, it is because the Canadian government's misreading of the tech sector has become a recurring problem. Time and again, government leaders talk tough when proposing digital policy, practically dare companies and foreign governments to push back, and then frantically seek an exit strategy when they do. That was certainly the case with the trio of internet laws that formed the foundation of Canadian digital policy under the Trudeau-led government. The internet streaming bill, touted as an update of Canada's broadcasting laws, first became mired in controversy over regulation of user content, and later bogged down in the courts when, as promised, internet streaming companies challenged the law. Years after its introduction, the law has generated no new revenues and it could become a future target for Trump trade threats. Robyn Urback: The digital services tax was bad policy, but killing it now makes us look terribly weak Soon after, the Online News Act sparked heated opposition from the two targets – Meta Platforms Inc. and Google Inc. The government dismissed the risk of the companies blocking news links in response to the legislation, yet two years after the bill became law, news links are still blocked on Facebook and Instagram and the government was forced to revamp its legislation through regulation to get Google on board. Most recently, the government ignored the critics who warned that it was overreaching with its online harms legislation. Sure enough, the bill never even made it to committee for further study as even the government's late concession to carve out controversial Criminal Code and Human Rights Act provisions proved too little too late. Ottawa pressed to split online harms bill to fast-track its passage Beyond those laws, the government's AI legislation found little support, leading Evan Solomon, the new Minister of AI and Digital Innovation, to acknowledge that it had 'overindexed' on regulation. In other words, dismissing the concerns of AI companies created new risks of reduced investment and a declining role for Canada in the AI space. Unfortunately, there are signals that this troubling strategy will continue. The Bill C-2 lawful access provisions create significant new costs and scope in surveillance requirements that may leave Canadian and foreign companies in legal quagmires where they cannot comply with both Canadian and U.S. laws. The opposition to the bill is likely to mount in the fall until the government tries to find a way out. Further, last week the government released a joint statement with the European Union that says Canada and the EU will 'align our frameworks and standards in the regulatory field, to make online platforms safer and more inclusive, to develop trustworthy AI systems and to establish interoperable digital identities and digital credentials to facilitate interactions between our citizens and our businesses.' This suggests more of the same moves by governments on online harms, AI regulation and speech regulation. The government has too often viewed the tech sector primarily as a source of revenue for policy projects – 'make web giants pay' – while overestimating the attractiveness of the Canadian market and underestimating the risks of costly regulation. There is an obvious need for smart tech regulation, starting with doing a better job of protecting the things that matter – Canadians' privacy, data sovereignty and marketplace fairness through robust competition laws. But the strategic blunders that culminated in the embarrassing decision to cave on the DST must lead to internal acknowledgment of a failed approach. When even your marquee policy for collecting revenues from the world's leading tech companies crashes, it is time to admit that Canada desperately needs a tech regulation reset.
Yahoo
01-07-2025
- Business
- Yahoo
Canada 'naive' over how U.S. would react to digital services tax, observers say
OTTAWA — The Canadian government was naive about how the United States would react to its contentious digital services tax, says an expert. UOttawa e-commerce law professor Michael Geist told the Toronto Sun the Liberal government went against sound advice and concerns being brought up about the digital services tas (DST) — a trend the Justin Trudeau Liberals followed religiously during previous — and sometimes disastrous — attempts to control how Canadians access the Internet. 'For the past few years, the Canadian government has been naive, at best, when it's come to this issue, and I think has been typical with a number of digital policy issues,' he said. 'They've oftentimes ignored warning signs and concerns that have been raised about real risks with certain policies and forged ahead— almost inviting critics or their opponents to call their bluff.' After years of zealously defending the contentious tax, which would require tech giants to pay a tax on revenues generated from Canadian consumers, the Mark Carney Liberals did an embarrassing about-face on the policy late Sunday night — announcing the Trudeau-era legislation would be repealed. U.S. President Donald Trump walked away from trade talks last week over the DST, describing it as 'egregious' and a 'direct and blatant attack' on the U.S. Finance Minister Francois-Philippe Champagne's decision to yank the bill came after a weekend of cryptic and unhelpful comments from the PMO, claiming Canada would 'engage in these complex negotiations with the United States,' despite the fact the negotiations had been put on hold. Geist said that while he knew the government would eventually capitulate, he said he the announcement's timing threw him for a loop. 'I was pretty surprised, I'll admit,' he said. 'On the one hand, I'm not at all surprised the government ultimately backed down on the DST — that, to me, felt inevitable — but to do so late on a Sunday night, I admit, I did a couple of double-checks to make sure this really was the Twitter feed of the finance minister.' The tax, enacted a year ago via an order-in-council, was part of the Trudeau Liberal's election platform since at least 2019. The law required non-Canadian digital services with annual incomes over $1.1 billion to pay a 3% levy on all revenues from Canadian users exceeding $20 million. Monday was supposed to be the first due date for companies to pay up — a retroactive payment for revenues collected since 2022, potentially representing a $2-billion boost for government coffers. Canada's insistence on a digital services tax, Geist said, wasn't based on levelling the playing field for Canadian tech companies. 'I don't think it's anything more than there's a lot of money at stake,' he said. 'In many ways it is far larger than some of the other policy-focused attempts to extract money from tech companies, whether that was on streaming, on news —we're talking about hundreds of millions, potentially, rather than billions.' Past attempts by the previous Liberal government to regulate the internet, the Online News Act for example, resulted in Canadians no longer able to post or access news stories on Meta platforms like Facebook and Instagram. 'It was a lot of money, and in this case, it was a lot of money going to general revenues,' Geist said. 'As they tried to balance the books, or at least try to find a way to pay for various programs, the prospect of this revenue was very attractive.' bpassifiume@ X: @bryanpassifiume Carney Liberals urged to ditch DST as Trump terminates trade talks with Canada U.S. opposition to digital services tax long predates Trump administration
