Canada: Cloud Computing

Last Updated: July 23 2015
Article by Lyndsay A. Wasser

In recent years there has been an exponential growth in cloud computing. As more organizations begin to explore whether some form of cloud computing would be beneficial to their businesses, it is important to consider relevant legal obligations.1 In particular, since cloud computing almost inevitably involves cross-border transfers of information, if the data involved includes personal information,2 organizations should be cognizant of privacy laws applicable to such transfers. In addition, cloud computing can give rise to some unique risks that will need to be taken into consideration.

What is cloud computing? What are the benefits?

There are many different definitions of cloud computing, each of which is slightly different. One helpful definition states that cloud computing is: "Internet-based computing in which large groups of remote servers are networked so as to allow sharing of data-processing tasks, centralized data storage, and online access to computer services or resources."3 In other words, cloud computing is a broad term that can encompass a range of online services, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS).

Some organizations have found that cloud computing can offer a range of benefits, which may include:

  • Cost savings - Organizations may not have to invest in building their own information technology infrastructure, buying hardware or obtaining software licenses (depending upon the nature of the cloud computing services obtained);
  • Scalability - Organizations can contract for as much or as little data storage/processing as they need at any given time, and services can be adjusted as needs change;
  • Accessibility – Data can be accessed and/or processed from anywhere in the world where there is Internet access; and
  • Security – In some respects, cloud service providers may offer a higher level of data security for some organizations, especially small or mid-sized businesses that do not have advanced controls in place.

Cloud computing may also offer other benefits, such as enhanced computing power, access to new innovations, and the potential for rapid deployment. However, although there may be benefits to cloud computing, there are also legal requirements and restrictions, as well as other risks, that organizations should take into account.

Cross-border data transfers

Before "moving to the cloud", organizations should be aware of applicable laws and guidance from the privacy commissioners respecting cross-border transfers of personal information. Some legislation contains specific requirements or restrictions related to such activities. For example:

  • An Act respecting protection of personal information in the private sector (Quebec)4 provides that enterprises that communicate personal information outside Quebec or entrust a person outside Quebec with holding, using or communicating such information on their behalf, must first take all reasonable steps to ensure that the information will not be used for unauthorized purposes, and if the enterprise cannot ensure that it will not be used for unauthorized purposes it must refuse to transfer the information outside Quebec;
  • The Personal Information Protection Act (Alberta) contains certain notice and policy requirements if an organization uses a service provider outside Canada;
  • Public sector privacy legislation in British Columbia and Nova Scotia generally requires that personal information be stored and accessed only in Canada (subject to certain exceptions, including where consent is obtained); and
  • Health information privacy legislation in Ontario, Nova Scotia and Newfoundland & Labrador also contains some limitations on cross-border transfers of personal information without consent.

In addition, organizations must ensure that cross-border transfers of personal information in the course of commercial activities comply with the Personal Information Protection and Electronic Documents Act ("PIPEDA"), including the requirement to obtain knowledgeable consent to collection, use and disclosure of personal information, as well as general security, openness and accountability obligations. There are a number of cases that provide guidance on complying with PIPEDA when transferring personal information outside of Canada, and the Office of the Privacy Commission of Canada (the "OPC") has published "Guidelines for Processing Personal Data Across Borders", which indicate that:5

  • Although PIPEDA does not prohibit cross-border transfers of personal information, certain rules apply;
  • Organizations remain accountable for information that is processed by third parties, and must protect such information;
  • Protection of personal information processed by third parties is primarily accomplished through contract, however, contracts cannot override the laws of the recipient country;
  • Organizations must assess risks to the integrity, security and confidentiality of personal information that is transferred outside of Canada, including by taking into account the laws of, and the political, economic and social conditions in, the recipient jurisdiction; and
  • Organizations must be transparent about their personal information handling practices, including advising individuals that their information may be sent to another jurisdiction and may be accessed by the courts, law enforcement and national security authorities in such jurisdiction.

Cases decided by the OPC and provincial privacy commissioners provide additional guidance for cross-border transfers of personal information. In addition, there are some industry-specific laws and guidelines that are relevant to cross-border data transfers. For example, the Office of the Superintendent of Financial Institutions has issued guidelines on "Outsourcing of Business Activities, Functions and Processes", which include some guidance on cross-border data transfers.6

Risks related to cloud computing

One of the risks of cloud computing is that it is a relatively new and largely unregulated industry. Therefore, a number of issues are still unresolved, including questions of legal jurisdiction and ownership of data. For example, it is unclear whether the data protection laws and government disclosure requirements of multiple jurisdictions could apply simply based upon the location of servers, even if the contracting parties and affected individuals are not located in such jurisdictions.

Other risks associated with cloud computing may include:

  • Difficulty complying with the legal requirements described above. For example, it may be difficult to assess risks related to the legal, social and political condition of the recipient country, if the data passes through a number of different jurisdictions (and the cloud service provider may not disclose the countries where its servers are located);
  • Since cloud computing can involve storing and transferring data across multiple servers, it may be difficult (or even impossible) to comply with legal obligations respecting disposal of personal information when it is no longer required to accomplish the purposes for which it was collected and/or when an individual revokes consent;
  • Major cloud service providers often hold a vast repository of data, which can make them a target for cyber criminals;
  • Since cloud computing relies on the Internet, there may be a higher potential for "crashes" or other service interruptions; and
  • Many cloud service providers have standard terms and conditions of service, including broad waivers of liability respecting service levels and security, which they may claim are non-negotiable.

These risks should be taken into account when considering any form of cloud computing arrangement.

Best Practices

Given the risks involved in cloud computing, it would be prudent for organizations to consider performing a privacy impact assessment before implementing any such arrangement that would involve personal information. Such an assessment would include consideration of applicable legal requirements and restrictions, as well as the sensitivity of the information and the reasonable expectations of affected individuals.

It is also essential to carefully review and consider contracts governing cloud computing arrangements. Although privacy and data protection provisions are important in any contract with a service provider, they are particularly important in the context of cloud computing because of the high likelihood that the organization will not be able to determine the jurisdiction(s) where data will be transferred, stored and/or processed. Therefore, the organization may not be able to evaluate the data protection laws or the political, economic and social conditions of the recipient jurisdiction. Consequently, the organization may need to rely heavily upon the contract terms to ensure the integrity, security and confidentiality of personal information that is stored or processed in the cloud.

Wholesale acceptance of standard contract terms and conditions may not satisfy the organization's obligations under PIPEDA and other applicable legislation, if they do not provide for reasonable protection of personal information. In particular, the organization may need to negotiate: broad waivers of liability; provisions related to service levels and security standards; and terms governing ownership of data, including the right to have all data returned/deleted on demand or upon termination of the agreement. In some cases, it may also be possible to negotiate some restrictions upon the location where data will be stored.

For additional guidance on privacy and data protection provisions in contracts with service providers (including cloud service providers), see McMillan's Privacy Basics Issue #6, Data Protection Agreements.

Finally, organizations should consider the sensitivity of the information under their control. As noted by the OPC, it is not possible for any contract to override the laws of recipient countries. Therefore, for certain highly sensitive personal information, even the strongest contract terms may not provide sufficient protection. In such cases, organizations should consider whether the potential benefits of cloud computing outweigh the associated risks.


1 Note: This bulletin primarily focuses on issues related to the public cloud. Different considerations may apply to private clouds, community clouds and/or hybrid clouds.

2 Pursuant to applicable privacy legislation, "personal information" is information about an identifiable individual.

3 Cloud computing. Dictionary.com. Dictionary.com Unabridged. Random House, Inc. http://dictionary.reference.com/browse/cloud computing (accessed: July 09, 2015.

4 Quebec public sector privacy legislation contains similar requirements.

5 https://www.priv.gc.ca/information/guide/2009/gl_dab_090127_e.asp.

6 http://www.osfi-bsif.gc.ca/eng/fi-if/rg-ro/gdn-ort/gl-ld/pages/b10.aspx.

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2015

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Lyndsay A. Wasser
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions