Cloud E-mail Grievance Dismissed
Date: May 11, 2020
Arbitrator Etherington recently dismissed a grievance that challenged a university’s decision to provide its faculty with cloud-based e-mail service.
Laurentian University implemented Gmail for faculty in the summer of 2017. Its “on premises” system was suffering from poor performance, and Gmail offered a number of advantages. For example, it integrated well with other applications that could be used by both faculty and students, came with unlimited storage and had arguably superior security fundamentals compared to any on premises solution. After a lengthy dialogue with its Faculty Association, the University moved ahead. The Association grieved, alleging a breach of privacy and academic freedom because the University had exposed faculty e-mail to United States government surveillance.
This is not the first case in the university sector to address e-mail privacy and outsourcing to the cloud. Lakehead University successfully defended a grievance in 2009 as did Dalhousie University in 2015. However, this is the first case to proceed after the publication of a “post-Snowden” research report called Seeing Through the Cloud, which forcefully argued that the e-mail privacy of Canadians is better protected when e-mail is hosted in Canada.
The Faculty Association relied heavily on Seeing Through the Cloud. It called one of the authors as an expert witness, and argued that the university had a duty to take “any available measure” – including local storage – to “maximize” faculty privacy protection.
The University argued that any privacy-related duty it owed was to take “reasonable measures,” a standard not consonant with zero risk. It disputed the claim that moving to Gmail was associated with any increased risk of lawful access by the United States government and argued that any increase in risk was immaterial. Exposure to foreign law, even if treated as a negative, was only one risk factor among many, and users have an obligation to understand and address the risks of using e-mail. E-mail, however convenient, is just one communication tool among many.
Arbitrator Etherington held that the collective agreement, read in light of the applicable jurisprudence, required the University to employ reasonable security measures rather than store data locally or employ any other specific security measure. He also explained that the adequacy of security measures must be judged in light of all the circumstances:
Thus the provisions of article 3.10.6, when read in the context of the language of 3.20.1, can only be read as imposing an obligation on the employer to not act unreasonably or fail to take reasonable security measures in deciding on the manner and level of email services to provide to faculty members. I agree with the employer submission that in applying the standard of reasonableness or reasonable security measures, one must assess compliance based on a consideration of all the circumstances. Relevant circumstances considered by adjudicators in other privacy cases have included factors such as the sensitivity of the personal information, the foreseeability of a privacy breach and resulting harm, the relevance of generally accepted or common practices in a particular sector or kind of activity, the medium and format of the records containing personal information, the prospect of criminal activity and the cost of additional security measures (Twentieth Century Fox Film Corporation, supra). I would add to this list, the extent to which employer changes to the provision of services can be said to improve or worsen the protection for privacy interests of its employees.
Arbitrator Etherington then held that the Faculty Association had not proven any failure, noting that the Association’s case was directed at United States government surveillance and not “the overall threat or risk to the privacy interests of faculty members.” He thoroughly canvassed other security factors not accounted for by the Association’s position, stressing that users ultimately have control over the communications they send over e-mail and recognizing that a shift to cloud-based e-mail had become a “common practice” in the university sector by the time Laurentian implemented Gmail in 2017.
Providing cloud-based IT services has become an imperative both inside and outside of the university and education sectors, and local storage is not always an option. This decision should help keep the focus on security fundamentals and overall risk. The risk of lawful access by foreign governments is a factor to consider, but is still yet to be treated as preclusive by any Canadian arbitrator or privacy commissioner.
The article in this client update provides general information and should not be relied on as legal advice or opinion. This publication is copyrighted by Hicks Morley Hamilton Stewart Storie LLP and may not be photocopied or reproduced in any form, in whole or in part, without the express permission of Hicks Morley Hamilton Stewart Storie LLP. ©