For many businesses, you would think that “looking to the cloud” for a cheaper and easier way to store and manage computer data would be an easy decision to make. After all, you would expect that any change in business management practice that can reduce costs and increase efficiency in one area so that more money can be spent on income producing business ventures would be quickly adopted by Canadian businesses, especially start-ups that are short on cash. However, a recent study of Canadian businesses showed that they have been slow to adopt cloud computing as an option. For example, a 2012 poll by Leger Marketing revealed that just 29% of businesses responding said that they had moved into cloud computing. This is in contrast to the estimated 75% of U.S. businesses that are either currently using cloud computing or are considering using it.
This slow acceptance of cloud computing options by Canadian businesses is primarily linked to data security and privacy concerns in the context of Canada’s strict privacy laws, coupled with the fact that many of the most cost friendly cloud computing options are based outside of Canada. However, once understood, these risks can be managed.
Certainly, there are valid privacy law issues when it comes to cloud computing, whether you use the cloud for data processing, storage, backup or communications. In Canada, the main law in place that addresses data privacy, and that apply to cloud computing issues, is the Personal Information Protection and Electronic Documents Act (called “PIPEDA” for short). As the title of this statute suggests, this law, which came into force in the year 2000, was put in place to promote and set guidelines for the use and protection of “personal information” (which is broadly defined “as information about an identifiable individual”) disclosed in the course of business. Under PIPEDA, organizations are held accountable for how they collect, use, maintain and store personal information, and this obligation of an organization does not fall away once data collected is transferred and stored with a third party (i.e. a cloud service provider) even if that third party is located outside of Canada. In such a situation, the principles set out in PIPEDA require that the organization in question ensure that a comparable level of privacy protection be put in place by the third party cloud service provider. Therefore, unless an organization is storing data offshore in a country with privacy laws in place that mirror those of Canada, the only way to ensure that such data protection will be put in place is by contractual means.
Therefore, when it comes to putting in place the legally required levels of protection for personal information stored in the cloud, a Canadian business should make sure that its cloud service provider is bound contractually to take all reasonable steps to protect personal information from unauthorized use and disclosure. However, keep in mind that, in many cases, providers of cloud computing, especially those online, only provide one generic form of contract for all users of that service, and will likely not be interested in negotiating additional terms and conditions with a Canadian business. Such contracts also tend to provide for more liberal use of personal information than PIPEDA will allow, and also usually provide for the cloud service provider to unilaterally change the terms of their contract from time to time, usually with little notice.
In any event, contractual terms that a Canadian business should make sure are in place with a foreign cloud computing provider should require that:
- The cloud service provider has policies and processes in place, including training for its staff and effective security measures to ensure that data in its care is safeguarded at all times;
- The organization whose data is being stored in the cloud has the right to audit and inspect how the cloud service provider handles the personal information that it stores, and has the right to conduct an audit to ensure privacy law compliance when warranted; and
- The cloud service provider agrees to indemnify the business organization in the event that an unauthorized access to personal information results in legal action against the business organization by an individual.
It is important to note that, as a general rule, any such contract put in place with a foreign cloud service provider will not preclude access to that information by either foreign law enforcement or court procedures. In any event, this should not come as a surprise to Canadian’s already familiar with PIPEDA, which has always provided for legal access to personal information by police or the civil courts as part of their respective investigative processes.
It is also important to note that the act of placing data in the cloud is considered by PIPEDA to be a use of personal information, and not a disclosure of that information. Therefore, if an organization opts for a cloud computing model for the storage of data already in its possession, that organization does not need further consent of the individual before their personal information is transferred into the cloud. However, Canada’s Privacy Commissioner, who is in charge of developing policies in accordance with PIPEDA, does suggest that businesses that will be storing individuals’ personal information in an offshore cloud advise the individuals in question of this fact, and that their personal information may be accessed by foreign legal and policing authorities.
Canadian business organizations that are considering moving to a cloud computing system should also think carefully about what kinds of data should be stored in the cloud, given the obvious security concerns with having data stored by a third party and accessible remotely (think hackers), no matter what protections are in place. For example, it may make sense to store the most sensitive types of information about customers and clients, such as banking, credit card and sensitive human resources information, on a local and secure server.
Although PIPEDA does not provide an individual with a direct right to sue organizations who breach their privacy rights, this is now changing in two respects. First, since earlier this year, the Ontario Court of Appeal has now recognized that there exists in Ontario a tort of invasion of privacy. Therefore, in addition to violations of PIPEDA which may be investigated by Canada’s Privacy Commissioner, individuals who have been damaged by the unauthorized use of their personal information may be able to sue for damages in Court. Although this new tort currently only applies to systematic and egregious breaches of an individual’s privacy (e.g. repeated unauthorized access to banking records by a third party), its scope is likely to expand in the coming years as concern for individuals’ privacy in the Internet age continues to increase.
Second, the recently passed, but not yet proclaimed into force Bill C-28, the Fighting Internet and Wireless Spam Act (FISA), contains an amendment to PIPEDA which will allow individuals to sue organizations who have breached their obligations under PIPEDA, such as disclosing or collecting personal information without the individual’s consent, or collecting and using personal information that is not reasonably required by that business to carry out its business purpose. It is expected that this amendment will become law by the middle of the year 2013.
Although cloud computing is slowly growing in popularity in Canada, those businesses considering this move should take note of the foregoing, and carefully weigh the obvious benefits of such a move against the possible risks, in light of Canada’s strict privacy laws. Once any such risks are indentified, it will then be incumbent upon that business to minimize that risk through appropriate contractual mechanisms with their cloud service provider, which must ensure that privacy standards are in place that mirror those privacy standards set out in PIPEDA.