Consider this: A service organization we’ll call
CloudCo collects and compiles personal information
from its corporate customer. The individual whose
personal information is being collected has a relationship directly
with the corporate customer, but not with CloudCo. The
personal information has been shared with CloudCo without the
individual’s knowledge or consent. Sound familiar?
Many cloud service providers host personal information without
any direct relationship with the individual. Maybe they rely on
assurances from their own customer. Or they may simply collect
personal information without thinking through the privacy
This recent decision of the Information & Privacy
Commissioner of Alberta (Professional Drivers Bureau of Canada
Inc. Case File Number P1884) deals with the
collection of personal information of truck drivers by a private
service company, called the “Professional Drivers
Bureau”. This company collected personal information about
drivers from trucking companies, created a database of
information, and then offered a search service, by which trucking
companies paid a fee for a report on the driver. In that
report, the personal information about the driver was
disclosed to the trucking company. The personal information
was gleaned and compiled into a database over a long period of
time, and it became clear during the Commissioner’s
investigation that the individuals never consented to this
collection, use and disclosure. The Commissioner ultimately decided
that the “Professional Drivers Bureau” was in breach of
Alberta privacy laws because it never obtained consent directly
from the individual truck drivers.
What can other service companies - including cloud service
providers - take away from this case?
Cloud service providers should consider if they are
“collecting” any personal information themselves, or
merely providing a service which allows their customer to store
information in the cloud. When a service provider collects personal
information, it must obtain consent. In this case, the service
provider did not provide any notice to the individual of its
collection of her personal information, did not indicate its
purposes, did not provide the name of someone who could answer her
questions. It apparently did not inform the trucking companies
about its purposes in collecting the personal information. All of
this was in contravention of privacy laws.
If a service provider is merely providing space on a server,
the terms of service should address privacy issues, and make it
clear that no personal information is collected, used or disclosed
by the cloud provider.
Termination issues should also be addressed in the agreement.
What happens to that data when the service relationship ends?
Consider the position of the trucking company: in this case,
the trucking company shared personal information about individuals
with the “Bureau”. When personal information is
disclosed in such a way, the trucking company should be
asking: Was this disclosure authorized by the individual? What
is the purpose of the disclosure? What contractual restrictions are
placed on the recipient, to ensure that the personal information is
used in accordance with the consent from the individual. In the
cloud context, this means contractual terms that directly address
the privacy issues.
Get privacy advice when entering into cloud-based service
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).