Risk Management Considerations Around Cloud Computing
The ongoing discussion surrounding Bill C-28 has caused Canadians to consider exactly what “privacy” entails. One issue that has come to the forefront is determining the safety of cloud computing.
Cloud computing offers companies the ability to outsource applications, platforms and infrastructure. This can include (but is not limited to) services like email, accounting software, account management systems and even servers. When a company decides to use cloud computing, they contract with an IT firm. In turn, the IT firm may subcontract with other firms to store data and deliver other cloud computing solutions. As a result, a company’s data may be housed in a variety of locations–not all of which are necessarily under Canadian jurisdiction and law.
Federal and provincial private sector privacy legislation allows personal information to be transferred to an organization in another jurisdiction for processing and storage, as long as the organization receiving the personal information does not use it for any purposes other than what was implied or previously consented to.
However, the organization that transferred the personal information is still responsible for protecting it, and the organization the personal information is transferred to must provide a level of security comparable to what would be required under Canadian law.
In addition, the transfer must be disclosed to individuals to whom the data pertains. Generally, this should include notifying them that:
- Their personal information will be processed and stored outside of Canada.
- Their personal information will be under foreign jurisdiction, which may be less protective than the laws that exist in Canada.
Concerns have recently been voiced about the impact of private sector firms that use cloud computing in the United States because once their data crosses the border, it is subject to section 215 of the US Patriot Act. This means US officials can get a judicial order for the turnover of information that is suspected of terrorism. This turnover can be “blind,” which means that for the security of the US investigation, no parties need to be informed about the seizure of the data stored using cloud computing.
Some lawyers around the country argue that the level of data security that exists when cloud computing across the border is no different than the current level of security. The Treaty on Mutual Legal Assistance in Criminal Matters has been in place since 1990 and allows the United States and Canada to assist each other in any criminal investigation by sharing records and pertinent data. The Canadian Security and Intelligence Service Act allows for secret warrants to be decreed to obtain electronic data from cloud computing or otherwise. Lawyers argue that these two pieces of legislation create situations where data can be blindly obtained and shared across the border.
Since this is such a new issue, many companies are still concerned. Organizations can consider obtaining meaningful contractual commitments for administrative, technological and physical security protections from the organization to which the personal information is being transferred. The transferring organization can also consider audit or other rights that would permit ongoing check-ups of those security protections as well as the use of the personal information.
Organizations should obtain legal advice to better understand how cloud computing transfers of personal information will affect existing legal commitments. It may be necessary to give special notice to individuals and to provide them with opt-out or termination opportunities.