Due to cloud computing’s borderless and infinite storage potential, vast amount of information can be collected and stored. However, the accumulation of personal information in the cloud increases the risks and impact of unauthorized access to the information, whether through security or data breaches. This risk is compounded when the data is transferred outside of Canada where the information is subjected to the laws of the foreign country.
Storing or Transferring Data Outside of Canada
Where personal information is transferred to a foreign third party, that information is subject to the laws of the foreign country and no contract or contractual provision can override those laws. Of some concern has been the US Patriot Act, that would give the US government access to data stored in the US. For this reason, the Privacy Commissioner of Canada has issued the following guidelines:
- Canadian-based organizations are obliged to ensure a comparable level or protection when storing or transferring data outside of Canada. This means generally having a contract or contractual provision in place to protect to the extent possible the confidentiality and security of the personal information while in the hands of the foreign service provider;
- Depending on the sensitivity of the personal information, organizations should notify individuals, that their information may be stored or accessed outside of Canada and of the potential impact this may have on privacy rights; and
- Organizations should be transparent about their handling and security policies and practices involving personal information stored or transferred outside of Canada.
Alberta and British Columbia go beyond voluntary notification. In Alberta, it is mandatory for organizations to notify individuals before transferring personal information to a foreign service provider. And in British Columbia, if the organization is in the public sector, transferring personal information to a foreign service provider is prohibited.
Security Breaches in the Cloud
Organizations should ensure that their service providers use reasonable safeguards to protect personal information from security breaches. Safeguards should be appropriate to the sensitivity of the information. In the unfortunate event that a breach does occur, it is important to ensure the service provider will cooperate with your organization to satisfy any regulatory requirements, such as any breach notification requirements.
Currently, only the Alberta privacy legislation requires mandatory breach notification in the private (non-health) sector. However, the Federal government appears intent on following Alberta’s lead, recently introducing a bill to amend the federal private sector privacy legislation, Personal Information Protection and Electronic Documents Act (PIPEDA), to include a breach notification requirement. Thus, it is prudent to include provisions addressing notification in the event of a breach when negotiating a service agreement with a cloud provider.
Checklist for Negotiating with Cloud Service Providers on Privacy Issues
In selecting a cloud service provider, here are some questions you might wish to ask related to privacy issues:
- Under what circumstances can the service provider use your data? Ensure that it is only for the purposes for which your organization’s obtained consent.
- Is your data to be held “in trust” for the customer? Your data should be your data.
- In what circumstances is the service provider permitted to disclose information without your organization’s consent? It should be only in very limited specified circumstances.
- What happens if the service provider discloses information without your consent – do you have a remedy? Consider including a liquidated damages provision for any disclosure without consent – it is often difficult to quantify the harm resulting from the disclosure of information.
- Is the service provider under a requirement to resist, to the extent lawful, an order to disclose information without your consent?
- Is the service provider under an obligation to cooperate with your organization in any regulators’ investigations (i.e., Privacy Commissioner) and to not deal with any regulators related to your information without your organization’s participation?
- What security safeguards does the service provider have in place? Which standards does the provider meet? How often is it audited and by whom?
- Are the confidentiality, security and privacy undertakings suitable? Those should be excluded from the general limit of liability or if not completely excluded, at least breaches of those provisions should attract a higher liability limit from the supplier.
- Does the service provider have different classified data restrictions with corresponding safeguards?
- Where is your data going to reside? This is particularly important to understand if your business is in a regulated industry.
- What happens to your data on termination? What is the service provider’s obligations when the agreement terminates? When the data is deleted, it is it really gone? What is the transition out process? Is the migration path workable, should you decide to change service providers?
- If your business receives a withdrawal of consent, how will the provider deal with that?
- Will you be able to provide an individual with access to their data on request?
Confidential Information Considerations
A final pearl of wisdom in addition to the above, is that PIPEDA and the other similar provincial statues speak only to information about personal information, that is information about an “identifiable individual.” These statutes have no application to non-personal business information such as trade secrets, business plans, financial reports, and other confidential information, and the way to protect the confidentiality of the non-personal business information is through provisions in the Service Agreement. However, many of the concepts addressed in PIPEDA, such as consent, security, and due diligence, would apply equally to non-personal confidential information.
Organizations will want to consider many of the issues raised in this post when entering into a service agreement with a cloud service provider whether the information provided is personal or non-personal information.