In Canada, both public sector and private sector organizations must generally comply with Canadian privacy laws. The federal and provincial laws impose a variety of considerations for organizations using cloud services – especially if the services are hosted in another jurisdiction.  

Of course, depending on the cloud service provider used, the laws of foreign jurisdictions may also be applicable.

Who is responsible?

Canadian privacy law mandates that an organization collecting personal information is responsible for it. For example, The Personal Information Protection and Electronic Documents Act (PIPEDA) principle 4.1.3 provides that an organization may engage third party vendors to process data on its behalf, but the organization will remain responsible for such personal information.

"Most countries, including Canada, have laws that can require a cloud vendor to disclose customer data in the course of a governmental investigation." 

With some public sector exceptions, generally an organization can use foreign cloud vendors. In PIPEDA case #313, the federal Privacy Commissioner addressed a case in which CIBC sought to outsource processing of its Visa cards using a U.S. supplier. The Commissioner found that PIPEDA does not prohibit use of foreign vendors, but Canadian organizations must have adequate provisions in place to ensure a comparable level of protection.  

While much focus has been placed on the USA PATRIOT Act, most countries, including Canada, have laws that can require a cloud vendor to disclose customer data in the course of a governmental investigation. 

Comparable legal risk

In the Visa case, the Commissioner noted that personal information held by a foreign third party vendor will be subject to the laws of that country and no contractual provision can override those laws. The Commissioner found that there is a comparable legal risk that the personal information of Canadians held by an organization and its vendor (whether Canadian or United States) can be obtained by government agencies lawfully in the applicable country. Where an organization plans to use a foreign vendor, the Commissioner found that the organization must notify its customers that the information may be available to government agencies under a lawful order made in that country.

Contractual protection practices by privacy commissioners include:

  • Restricting collection, use, and disclosure of information other than for purposes for which the third party is expressly retained.
  • The vendor to maintain specific privacy, security and backup standards for the personal information that meet the organization's standards (or the organization to assess if the vendor's standards are adequate for its purposes).
  • A right to audit the privacy and security practices of the cloud vendor.
  • Notice, by the vendor, of any loss or unauthorized access to personal information.
  • Access to personal information to the organization when required.
  • Ownership of the personal information by the organization.
  • Assistance provided to assist the organization in case of access requests, investigations, or correction requests.
  • Prohibition on the assignment or subcontracting of the contract without the consent of the organization.
  • Notice of any demand for access to or disclosure of personal information received by the vendor.

Cloud services involve use of service elements provided by many vendors, many that may not be limited to Canada.  As a result, an organization that wishes to benefit from cloud services must see if the particular service meets the organization's privacy compliance requirements. 

While privacy is an important consideration when deciding whether to use the cloud, it's important to remember that there are other considerations to keep in mind. Some examples include security, counter-party risk, export controls, or post-termination transition.