Compliance Management, Government Regulations, Network Security, Security Strategy, Plan, Budget

Will Bill C-11 make backups illegal in Canada?

As we learned from [former Alaska Senator's] Ted Steven's “Series Of Tubes” speech in 2006, the legislators who are charged with the task of drafting and enforcing technology-related laws rarely have a deep understanding of how technology actually works.

This was made clear recently with the outrage expressed as the U.S. government attempted to pass the controversial Stop Online Piracy Act (SOPA).

But the piracy debate in Canada hasn't been quite so heated and there's a good reason for that.

In the 1990s, the Canadian government passed the “blank media levy.” This law places an additional fee on devices like MP3 players, tapes and CDs. The money collected is then distributed to record companies as compensation for the piracy they suffer at the hands of these devices.

But now, it appears that the Canadian Government believes that the old rules are no longer sufficient for dealing with new changes in technology, and they've proposed a new bill titled “The Copyright Modernization Act” (Bill C-11).

This bill proposes to place digital locks on consumer electronics, which would allow the government and the entertainment industry to regulate or censor what content one can or cannot access on the electronics they own.

Any attempt to modify or reprogram their own hardware to circumvent these technological measures may earn them up to a $1,000,000 fine and a five-year prison sentence.

As a Canadian online backup provider, Bill C-11 really caught our attention since it places specific rules and restrictions on the process of data backup. We decided to read the bill more thoroughly and give our perspective on how backup will likely change if Bill C-11 passes.

Although we're not experts in the law, we do have a very deep understanding of technology issues relating to data protection. Upon reading over the bill and doing a bit of background research, we were left with a few concerns and unanswered questions.

Of course, this new act will not make backups illegal. However, it seems that there may potentially be certain backup-related restrictions that all consumers and corporate IT departments should be made aware of.

Online backup will still be legal

The bill is modern enough to recognize the importance of network services provided through the internet. Services that copy data, such as online backup, will continue to remain legal on the condition that:

  • The act of providing this service is not, in and of itself, an act of copyright infringement.
  • If the act of copying copyrighted materials is used exclusively to improve the efficiency of a service, such as is the case with caching, this will not be considered a violation of copyright.
  • This service is not designed to allow its users to infringe copyright.
  • Although most typical online backup services will still be allowed under this law, certain types of services which allow users to share files may be affected.

Limitations on third-party backups

Under this new bill, it may also become illegal for someone to hand over their physical backups to a third party. This aspect of the bill won't likely make online backup illegal, since the bill acknowledges the legitimate use of cloud computing. But it does create uncertainty, which is never good.

The bill still leaves an undefined grey area when it comes to establishing who has the right to hold onto one's backups.

It's legal to back up through a cloud-storage provider, but is it legal to mail one's backups to a storage facility? This bill still seems uncomfortably ambiguous when it comes to this question.

Backup is backup, and original is original

If one owns the rights to the original content being backed up, it's ok to make a backup copy. This copy can only be used for data protection in the event that the original is destroyed, lost, damaged, corrupted or becomes otherwise unusable.

We've seen situations where users have mirrored network attached storage (NAS) drives for their data.

If one purchases a copyrighted work and saves it to both drives, they will have to make a choice about which is the active copy and which is the backup copy. If they watch a copyrighted movie which resides on the backup drive instead of the primary drive, they will potentially be breaking the law.

The backup copy may not act as a source copy unless the original is first destroyed. 

Backup administrator becomes babysitter

As a backup administrator, it will now be one's responsibility to ensure that all users have the legal rights to the data on their hard drives, and that these files were obtained through legitimate means. If a user has legitimate rights to a file, but has circumvented the file's technological protections, then they will fall out of compliance.

Also, the backup administrator will have to monitor the digital rights of all files within their backup storage. If a file was backed up while the user still had the rights, the backup administrator will be forced to remove it as soon as the license expires.

Compliance conflicts

For regulatory compliance reasons, many organizations will retain archives of their files, emails and other business data which must be preserved in case of litigation.

In the event of a disclosure request, the organization must perform an electronic discovery search on their historical business data in order to comply with the court's request. Part of the challenge in submitting electronic disclosures has to do with proving that the files presented are authentic and haven't been altered.

This is often done through the use of a “write once, read many” (WORM) mechanism. For example, certain specialized backup tapes can be locked up after they've been written over. This way, one knows that the information on this storage device has never been modified.

Under the new proposed legislation, this mechanism creates issues because the media might be subject to destruction in the event that just a single file fails to comply with the bill. Another problem with the bill is that it creates a conflict between the data-retention and the data-destruction obligations of the organization. If an employee emails a copyrighted music file to a co-worker, the organization may need to archive this email for five years or more for compliance reasons. During this time, the company will also be guilty of infringement since they've archived this illegal content.

In our opinion, C-11 seems to create potential conflicts that may complicate the data protection processes for Canadian companies. We believe that the government should make an effort to better engage the Canadian tech community in order to directly address these questions and prevent potential issues from arising.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.