In Canada, there is often a perception that using cloud computing services may be against the law or undermine privacy. This is often not the case. This FAQ guide will dispel some of the mythology around cloud computing and provide a framework to properly assess cloud computing and privacy.
When contemplating a cloud computing solution, use your existing information system — warts and all — as the baseline from which you measure any potential decisions. As objectively as possible, you need to consider the security and privacy risks inherent in your corporate infrastructure.
Q Is it illegal for a Canadian business to outsource services such as cloud computing to a non-Canadian company?
A No. There is no law preventing most Canadian businesses from “exporting” personal information. Private-sector privacy laws require you to ensure a level of security for personal information comparable to that provided in Canada, regardless of whether you permit a Canadian or non-Canadian company to manage it. However, some highly regulated industries, such as banking, have special rules which may include additional regulation for outsourced services.
Q Is it illegal for a Canadian public sector or government body to outsource services such as cloud computing to a non- Canadian company?
A It depends on the jurisdiction of the public sector or government body. British Columbia and Nova Scotia are the only jurisdictions with laws strictly regulating the export of personal information from Canada by public bodies. For all other jurisdictions, including the federal jurisdiction, public sector bodies are permitted to export personal information, but must ensure a level of security comparable to that in Canada, regardless of whether a Canadian or non-Canadian company manages it. Alberta legislation makes it an offense for a public body or service provider to disclose personal information in response to an order with no jurisdiction in Alberta.
Q Is information better protected from law enforcement and national security access in Canada than in the United States?
A Not necessarily. The provisions of the USA Patriot Act that have attracted the most criticism have equivalents under Canadian law. Regardless of where information resides, it will always be subject to lawful disclosure to law enforcement or national security bodies. In Canada, this includes search warrants under the Criminal Code of Canada and the Canadian Security Intelligence Service Act, and administrative subpoenas such as those issued under the Income Tax Act. Many European countries permit broader law enforcement and national security access to information than either the United States or Canada permit.
Q Does keeping data in Canada keep it away from American law enforcement and national security agencies?
A In short, no. Canada, the United States and most Western democracies engage in a very high level of cooperation that includes mutual legal assistance treaties and ad hoc information sharing. In the area of “signals intelligence”, Canada is a member of the “Five Eyes” program, under which Communications Surveillance Establishment Canada cooperates with the American National Security Agency, and their counterparts in the U.K., New Zealand and Australia. Most Canadian privacy laws actually permit this sort of information sharing under treaties or informal arrangements.
Q If we go with a cloud solution, should we give notify our customers/users?
A Under most Canadian laws, you technically do not need to seek consumer consent or provide notice. However, the Privacy Commissioner of Canada’s position is that businesses proposing to have personal information processed outside of Canada should give customers notice. This is not required under the federal Personal Information Protection and Electronic Documents Act (PIPEDA), but probably represents a best practice. Under the Alberta and Quebec private-sector privacy laws, you are required to give your customers notice.
Q What are the legal security requirements for Canadian companies considering cloud computing?
A Canadian legislation is silent about the particular security practices you should adopt when using cloud computing. PIPEDA, for example, only says that safeguards commensurate with the sensitivity of the information must be adopted: the more sensitive the information, the greater the precautions that should be taken. The general prevailing view is that you should insist on at least the industry best practices for the sort of data at issue. The original organization remains legally responsible for safeguarding personal information even if it is outsourced. It is up to the organization to make sure that any service provider implements adequate protections. You must be mindful of any additional risks cloud computing introduces. This is principally related to data being in transit over the open Internet. You can generally mitigate these risks by using SSL, VPN or other encryption technologies to make the information secure in transit. Provided you use a reputable provider, information is often safer when in the custody of a cloud service provider: cloud providers generally have greater resources to devote to security, and mobile users will no longer have to carry data with them in vulnerable devices such as laptops and USB drives.
Q What role should jurisdiction play in a decision about whether to adopt cloud computing?
A Jurisdiction is relevant but less so than most believe. For example, you should be very wary of any situation that casts doubt over whether your contract with your service provider will be enforceable. After all, their obligations to secure your data are set out in the contract. At a minimum, you should be sure your service provider is based in a jurisdiction with a mature and fair legal system. Data may fall under the jurisdiction of any country to which the service provider is reasonably connected. This includes, at minimum, where you are located, where the service provider is based and where the data resides. For each of these jurisdictions, consider whether it introduces any meaningful increase in risk to your data. It is very difficult to determine and measure this risk; you should seek expert legal advice to do so.
Q What should I look for in the contract with my service provider?
A Here are the top 10 things you should ask for. Not every service provider will negotiate these terms and, depending on the model of cloud computing the provider uses, some are simply difficult or impossible to deliver — but you should still ask for them and consider any response.
1. Limit the service provider to using your data for your purposes only, and for no other purpose unless you explicitly consent.
2. Include a provision that the service provider holds your data “in trust” for you, making it a legal fiduciary.
3. Prohibit the service provider from making any disclosures of your data without your consent, except as expressly set out in the agreement, and contemplate what it should do in response to a legal order for access.
4. Specify the damages to which you are entitled if the service provider discloses any data without your consent by using a multiplier connected to the extent of the disclosure, instead of a fixed sum, and characterized as general damages.
5. Obligate the service provider to resist — to the extent lawful and as soon as possible — orders to disclose information without your consent.
6. Obligate the service provider to cooperate with you in any regulators’ investigations.
7. Prohibit the service provider from dealing with any regulators related to your information without your participation.
8. Implement safeguards to protect information. Require that the service provider abide by accepted information security standards instead of constantly changing technologies — and that they be regularly audited against them by a third party, with access to the audit reports available to you. The provider should warrant it will do so and will cover your costs if there is a breach resulting from its lapse. Include your ability to audit your users’ access of the data.
9. Insist on full indemnity, without limitations, for liability related to privacy and security. The provider’s warranty and indemnity should cover all of your costs and any remedies you must offer your customers due to a security breach. Require the provider have and maintain adequate insurance for such incidents, and provide you with certificates of insurance.
10. Provide that you can get your data back and the service provider cannot retain or use it after the contract ends — and make sure you get all your data back!
Q What are the best practices for decision-making around cloud computing?
A As with any new program involving the handling of personal information, your organization should undertake a privacy impact assessment (PIA). PIAs are a systematic way of canvassing all of the privacy issues inherent in a project to identify — and hopefully mitigate — them. PIAs are widely done in the public sector; private sector organizations considering moving customer or employee data to a service provider should also conduct a PIA.