Complying with Quebec’s Data Privacy Laws Is Easier with the Data Cloud
Data privacy regulations are sweeping across the globe, with some 71% of countries worldwide adopting data protection and privacy legislation. This wide adoption of legislation requires organizations that store or process personally identifiable information (PII) to have greater control over that data, and better transparency about how they store it.
The European Union’s General Data Protection Regulation (GDPR), one of the more well-known and far-reaching of these privacy regulations, went into effect on May 25, 2018. GDPR imposes obligations on organizations that collect and store personal information and, more importantly, levies fines on those that violate GDPR. Anything deemed a violation can cost the offending organization up to 20 million euros or 4% of the company’s global revenue, whichever is higher.
Canada, in addition to being one of those 71% of countries with data protection and privacy legislation, stands out as an early adopter of privacy legislation. The Personal Information Protection and Electronic Documents Act (PIPEDA) went into full effect on January 1, 2004, governing the way Canadian businesses use and disclose personal information. Quebec takes that a step further with its Bill 64, now referred to as Law 25, which modernizes data protection and privacy legislation for Canada’s second most populated province.
Law 25 takes a phased approach to its requirements, with the first group of requirements going into effect on September 22, 2022. The next phases will go into effect in September 2023 and September 2024, respectively. At the time of this writing, phase 1 is in our privacy rearview mirror, but phase 2 quickly approaches.
At the core of Snowflake is data, and the Snowflake Data Cloud is increasingly the central platform for many organizations’ data strategies. Among the many reasons Snowflake is integral to an organization’s data strategy is the out-of-the-box security-related features. In today’s rapidly changing regulatory and compliance landscape, use of these features allows customers to keep critical data secure and monitor that data for auditing purposes.
As the start date for phase 2 of Law 25 approaches, Snowflake customers that regularly collect, use, disclose, retain or delete PII of Quebec residents are navigating how to meet the demands of the new regulation. This blog post specifically addresses the highlighted sections in P-39.1 – Act respecting the protection of personal information in the private sector. These highlighted sections are of particular importance because sections will be enforced as soon as September 22, 2023. I’d also like to offer some perspective on how best to handle issues such as a person’s right to rectification, data portability, data deletion and restriction of data processing.
Under Law 25, privacy impact assessments are outlined in Division I.1, Section 3.2, which states that “Any person carrying on an enterprise must establish and implement governance policies and practices regarding personal information that ensure the protection of such information.” Snowflake provides a rich set of product security features to further protect personal information. Many customers evaluating how to protect personal information and minimize access to data look specifically to data governance in Snowflake features.
Complementary to those features are data security features that customers can and should consider when securing their Snowflake account, including secure access to Snowflake, standards-based and strong authentication/authorization methods, granular role-based access controls, encryption of data in transit and at rest, and audit activity for continuous monitoring. Snowflake has achieved a number of industry certifications, which allows Snowflake customers to have confidence in the underlying platform and the security of its backend.
Division I.1 3.2 outlines the responsibilities to establish and implement governance policies and practices regarding PII. While this is really about identifying people and processes, a thorough evaluation of the Snowflake governance features mapped to customer-defined policies allows customers to set a data governance architecture that meets the demands of their business. There are a number of data governance operating models that I see working with Snowflake as a centralized data repository for personal information.
- Centralized: Top-down management model
- Decentralized: Bottom-up program management model
- Federated: Top-down policies, framework directions, data privacy and compliance. Also includes bottom-up reporting and feedback with autonomy to adopt both business unit and organization-level standards.
Privacy impact assessment
Division I.1 3.3 outlines the requirements for a privacy impact assessment for “any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information.” While evaluating Snowflake as a system from a technical perspective and ingestion of PII, customers should consider how they classify and tag data in one of two ways:
- Classify and tag prior to ingesting the data in Snowflake
- Classify and tag the data with Snowflake’s classification and tagging capabilities
Once the data is classified and tagged, further protections can be placed to minimize access to data with the following security features:
Snowflake offers and commits to a range of audit offerings in the Snowflake Data Processing Addendum as well as the Security Addendum. This gives customers the ability to evaluate Snowflake’s security controls through reviewing our numerous third-party certifications and reports, or engaging with Snowflake for a more in-depth conversation.
Personal information protection measures
Also going into effect this September 2023 is Division I.1 3.4, which states that the person in charge of the protection of personal information may suggest personal protection measures related to the project, and measures to protect the personal information in a document relating to the project. From a Snowflake perspective, customers can audit the system to ensure that protection measures implemented as described above are in fact enabled. Dashboards can be built to provide active monitoring. Snowflake’s Account Usage schema is an excellent way to monitor Snowflake and understand what is normal activity, including user login behavior, authentication types, granting of administrative privileges, and IP addresses of resources connecting to Snowflake. For example, dashboards could be built detailing what tables have PII in Snowflake, policies applied to those tables or rows for further protection, and which users have access to those tables.
Collection of personal information
Division II states that organizations must determine what information they collect and the processes by which they collect that information. From a technical perspective, Snowflake is the platform by which data is collected and processed, but customers are in charge of their data and have full control over what data they collect.
As laid out in the Snowflake Security Addendum, customer data is encrypted in transit—TLS 1.2 (or better) and at rest using AES 256 bit (or better) encryption. This is on by default. Customers can further use features such as modern authentication methods, network policies and governance features to maintain confidentiality of personal information, and only provide access where required based on business justifications.
Rights of access and rectification
Law 25 covers right of access and rectification at a person’s request. When a person requests access to their personal information, Snowflake customers have the ability to meet access requests through the audit and monitoring capabilities provided in the product. This is made easier if PII data was appropriately classified and tagged as part of the privacy impact assessment, and so this is a best practice for organizations to follow. Using Snowflake access history, tag references, and object dependencies, customers are able to see the flow of sensitive information in Snowflake, from ingestion to deletion. Visibility of the data helps to find personal information and, in the event of rectification, customers can use SQL, Java or Python to update any type of data stored in Snowflake accounts. Therefore, customers should feel confident that they have the ability to locate and correct personal information in the event of rectification requests.
Customers can classify and tag PII through Snowflake features to track where that data is and ensure policies are in place to protect it. Customers can retain data until that individual wants their data destroyed, and they can then delete or anonymize that data in Snowflake. A variety of options for deletion are available based on the customer’s interpretation of the applicable law. Snowflake offers the following technical deletion options:
- Crypto deletion or crypto shredding with data masking at run time until scheduled deletion or purge is scheduled
- Block user access through RBAC and Row Access Policies while data is awaiting scheduled deletion time
- Deletion from Snowflake data storage. Once sensitive data is no longer available through Time Travel, it will be available in Fail Safe for seven days (non-configurable). Once that time has passed, sensitive data is no longer available, and no longer retrievable from Snowflake storage.
Incidents and notification
Customers have robust monitoring capabilities in Snowflake, including the ability to send alerts to a SIEM tool to round out their inclusion of Snowflake in their Cybersecurity Incident Response Plan (CSIRP), in addition to out-of-the-box security incident reports. Queries to monitor and alert against sensitive data in Snowflake can be built and integrated into a customer’s security operations center (SOC).
During the “lessons learned” phase of the CSIRP (assuming you are following the SANS IR steps), customers should review relevant security measures in place on their Snowflake accounts to prevent incidents in the future—the goal being to comply with the legislation that was effective since September 2022, whereby “an enterprise who has cause to believe that a confidentiality incident involving personal information the person holds has occurred must take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature.” The review of Snowflake security features in the lessons learned phase aligns nicely to this section of Law 25 about reducing the likelihood of incidents in the future.
Cross-border transfers
As outlined in Snowflake’s Data Processing Addendum, Snowflake allows our customers to set up service accounts wherever we offer deployments, and commits to not process personal data outside of the selected region, except as reasonably necessary to provide the services.
Additionally, the Snowflake DPA is drafted to clarify our customers’ obligations with respect to data transfers, including assisting with impact assessments, hosting relevant transfer mechanisms on the Snowflake site, and describing the transfer so that our customers can meet their obligations for the transfer of personal information.
We provide the tools, you have to build it
There is, of course, nuance to all data privacy laws, and how organizations or entities interpret those laws. Snowflake provides product security features that allow customers to protect personal information, rectify personal information, and delete personal information.
Customers can implement proactive features to secure access to their snowflake accounts and PII. Snowflake’s rich auditing and monitoring capabilities provide visibility into where PII resides and who has access to it. A carefully thought-out implementation of proactive security controls and reactive auditing controls provide a strong technical foundation for customers seeking to meet the criteria of Quebec’s Law 25.
Disclaimer: This comparison is for technical clarification only. It is not meant to be binding and shall not supersede or replace the existing agreements between the parties. Any timelines (if mentioned) are tentative and subject to change. Please see the Documentation for the most up-to-date and accurate summaries of the Snowflake Service.