Bohaker & Dirks (2015). Privacy Impact Assessments and Microsoft & Google Vendor Contracts: Examining Canadian University eCommunications Outsourcing decisions.

Bohaker, H., & Dirks, J. M. (2015, September 15). Privacy Impact Assessments and Microsoft & Google Vendor Contracts: Examining Canadian University eCommunications Outsourcing decisions. Retrieved from

[“Introduction” (p 1) …]

[“eCommunications in the Global Cloud3” (p 3) …]

[“Microsoft, Google, and a Brief History of the Global Education eCommunications Market” (p 6) …]

[“Canadian Universities and eCommunications Outsourcing” (p 9) …]

[“Rationales for Outsourcing” (p 13) …]

[“Analysis of university Privacy Impact Assessments” (p 16) …]

[“Definition of Personal Information” (p 17) …]

“Western University’s PIA is one such document where personal information was defined in this way. Specifically, the document indicated that what the university was disclosing to Microsoft was the following only: ‘student name, student enrollment details (group membership) and assigned email address.’ The PIA explained this by noting ‘it is the position of Western that student email is not information that is considered to be under the custody or control of Western and therefore FIPPA does not apply to this information. It is not considered information collected by Western for use by Western for its purposes.’ The authors then went on to note that nonetheless, ‘the information in the email system is considered the personal information of the student and the system should be designed to protect it to the same security standards that would apply to any other university systems that contains personal information.’59 The University of Manitoba also did the same, noting that ‘the content of student email is not information considered under the custody or control of the University and therefore the Freedom of Information and Protection of Privacy Act (FIPPA) does not apply to this information.’60” (p 18)

[“The Similar Risk Argument” (p 19) …]

“To give just one representative example, here is the short explanation given on the University of Manitoba’s ‘Frequently Asked Questions page about their Office 365 email deployment. The question: ‘is my email subject to US government laws? The answer: ‘Yes. However, the move to Office 365 results in no appreciable difference to what currently exists with our email. US and Canadian laws regarding email are very similar in nature.63. In making such claims, we noticed that the authors of PIAs and University ‘FAQ’ documents were drawing on conclusions also reached by some privacy commissioners and asserted by some privacy experts and product vendors. As we have found in our research, this argument is deeply flawed.64 Canadian jurisdiction offers significantly better privacy protection to Canadians and residents than US jurisdiction does, for example.” (p 19)

[“Email is ‘like a postcard,’ lowering expectations of privacy.” (p 21) …]

“In addition to the similar risk argument, all PIAs made some version of the ’email is like a postcard’ or ’email is inherently insecure’ argument as a further justification in support of extra-national outsourcing. Instead of considering ways in which eCommunications systems can be deployed to enhance the privacy and security of user data and metadata, these documents defines email as a fundamentally insecure form of communication for which there could be no guarantee or expectation of privacy.” (p 21)

“The University of Manitoba’s PIA asserted that ‘Students be notified in advance of claiming their email that their information will reside in a foreign jurisdiction and will be subject to the laws of that jurisdiction, and that the University cannot guarantee protection against possible disclosure of personal information that is held in foreign jurisdiction…Students will be notified to not use the email system to send or receive sensitive personal health information.’74” (p 22)

[“Conflating privacy and security: the ‘incremental risk’ argument.” (p 23) …]

[“PIAs that focused on email only or nearly exclusively” (p 26) …]

[“Defining eCommunications as separate from the teaching and research missions of universities.” (p 26) …]

[“Contract/License Agreement Discussion” (p 32) …]

“The laws of whatever jurisdiction the data are stored in or transited through apply, and in the context of that foreign jurisdiction, the data of Canadians are viewed as belonging to non-citizens, with typically less privacy [page break] protection than that given to citizens. The PIAs we reviewed dismissed or minimized this risk with the flawed similar risk argument and a near exclusive focus on the _USA PATRIOT_ Act.” (p 32-33)

“Furthermore, the PIAs we reviewed focused nearly exclusively on data storage within the US, even though the contracts indicate otherwise. … The risk is not simply exposure to a single foreign jurisdiction, but to multiple (and unnamed and unknown) foreign jurisdictions in the global cloud.” (p 33)

“Both agreements do permit the mining of alumni email for the purpose of serving targeted advertisements.” (p 34)

“Microsoft uses the term ‘law enforcement’ but neither defines the term nor defines which country’s law enforcement agencies apply. … If the law of the requesting country prohibits even disclosing the request (as is the case with some US requests, such as security letters) then the university customer will never know about whose data was requested.” (p 35)

[“How did outsourcing to the cloud come to seem like a sensible option?” (p 36) …]

[“The Lakehead Case” (p 36) …]

[“The Role of Vendors” (p 37) …]

[“Leading by Example and Drawing on the Experiences of Peers” (p 39) …]

[“The Role of Privacy Commissioners” (p 41) …]

[“Conclusion” (p 44) …]

Selected Notes

  • 3. A slightly expanded version of this section also appears in the public summary report ‘Seeing Through The Cloud: National Jurisdiction and Location of Data, Servers, and Networks Still Matter in a Digitally Interconnected World,’ available for download on the project website:
  • 49. Paul Eluchok and David Ghantous, ‘MICROSOFT OFFICE 365 PRIVACY IMPACT ASSESSMENT Western Student E-Communications Outsourcing,’ 19 August 2014, released under FIPPA 28 May 2015 (henceforth Western PIA), 1.
  • 59. Western PIA, 5
  • 60. University of Manitoba, ‘Privacy Impact Assessment: Microsoft Office 365 Implementation: Student email project,’ Released under the Freedom of Information and Protection of Privacy Act, UM2015-10, (henceforth Manitoba PIA), undated, 3.
  • 63. .
  • 64. The full legal analysis which conclusively demonstrates why the similar risk argument is flawed is available as an appendix to this report. See Lisa Austin and Daniel Carens-Nedelsky, ‘Why Jurisdiction Still Matters,’ available as a pdf file at .
  • 74. Manitoba PIA, 3.
See this page at