We are often asked about how cloud computing can impact compliance with Canadian PIPEDA (Personal Information Protection and Electronic Documents Act) regulations. As with most questions, the answer has to be taken in context – it depends on how you use the cloud and which cloud service provider you’re using.
PIPEDA applies to all business activities, whether traditional or internet- based – in short any organization collecting, using or disclosing personal information in the course of commercial activity.
The Act specifies a number of rules to which organizations must adhere when collecting, using or disclosing personal information in the course of commercial activity. Personal information is defined as ”information about an identifiable individual” including -
- Name, address, telephone number, gender;
- Identification numbers, income or blood type;
- Credit records, loan records, existence of a dispute between a consumer and a merchant, and intentions to acquire goods or services.
The legislation also protects personal information of a sensitive nature - this may include health or medical history, racial or ethnic origin, political opinions, religious beliefs, trade union membership and sexual orientation.
The paper Reaching for the Cloud(s): Privacy Issues related to Cloud Computing (Office of the Privacy Commissioner of Canada - March 29, 2010) came to the following conclusions
Should the Office of the Privacy Commissioner receive complaints about cloud computing, they are likely to arise from one of four situations:
- An organization choosing to use cloud infrastructure for data storage and/or processing;
- An organization or government body creating a private cloud infrastructure to facilitate information sharing within its environs;
- An individual user who interacts with a cloud application; or
- The misuse of data by a cloud infrastructure provider to whom it has been provided.
In the first case, it is likely that under PIPEDA such actions would be considered as a transfer for processing, and accordingly… the organization would be required to ensure that a comparable level of protection is provided for the information. The organization would remain in control of the information and responsible for meeting the PIPEDA requirements. …
In the second, third and fourth situations, the provisions of the applicable legislation (PIPEDA or the Privacy Act) would apply to the subject matter of such a complaint.
Where the Privacy Commissioner has jurisdiction over the subject matter of the complaint but the complaint deals with cloud computing infrastructure and thus is not obviously located in Canada, current jurisprudence is clear that the Privacy Commissioner may exert jurisdiction when assessment indicates that a real and substantial connection to Canada exists.
Jurisprudence indicates that jurisdiction may be exerted over extra-territorial entities when a real and substantial connection to the jurisdiction may be established. This has been the case both when dealing with issues of inter-provincial and international jurisdictions, although a higher standard of connection may be required in international situations. Real and substantial connection, as a test, must be approached from the standpoint of principled flexibility, and although the jurisprudence sets out a number of factors that may be considered in making such an assessment, the list is not exhaustive and none of the factors are determinative in and of themselves – instead, the connection assessment must be conducted on a case by case basis.
While PIPEDA does allow for the storage of data cross-border, there are important considerations to take into account when choosing a cloud service provider. Take for example the class action lawsuit filed against CIBC in 2004 by Visa cardholders when they learned their data was available ‘to US authorities via the Patriot Act. While CIBC eventually prevailed in the courts, its obvious that the majority of Canadian consumers would prefer their data stored within the borders of their own country.
Think you know all about PIPEDA requirements? Test your self with the short Privacy Quiz for Business from the Office of the Privacy Commissioner!
Want to learn more about where Imogo stores its data? Visit the RackForce Gigacenter – environmentally powered and securely located in the heart of British Columbia.
