In March 2010, the Office of the Privacy Commissioner of Canada (OPC) published a paper that discusses the privacy issues raised by the increasing use of cloud computing, including issues related to jurisdiction, security, misuse of data, data retention, and lawful access.
The OPC notes that problems of jurisdiction can arise as the data may be collected, used or stored in more than one jurisdiction. Organizations that use cloud computing applications need to be fully aware to which jurisdictions the personal information of their customers and/or employees may become subject to the laws of multiple countries.
As cloud computing is by nature an Internet-based application, the security of information transferred becomes a significant concern. Experts note that encryption should be used to protect data; however, in most cases such security features are not being used. Data in storage should also be encrypted to ensure that it is not accessible by those without proper authorization.
Data held in organizations’ mainframe databases are directly within the control of the organization, however, in the cloud computing model the cloud computing service provider may be able to access the information without the knowledge or consent of the organizations or the individual. Therefore, there are risks of the cloud computing provider using the information for its own, and unapproved, purposes, such as data mining.
Personal information held in the cloud raises additional concerns relating to lawful access by organizations such as law enforcement agencies. For example, if many organizations use a centralized cloud computing infrastructure, a lawful access request to the cloud computing service provider may expose the information held by all the organizations using that service provider. In addition, lawful access requests to cloud computing service providers significantly increase the likelihood that individuals and the organizations to which individuals have provided their personal information will be unaware of such access to their data.
Organizations are required by the Personal Information Protection and Electronic Documents Act (PIPEDA) to retain personal information for only as long as the information is required for the purposes for which it was collected or as required by law. When storing data in the cloud, organizations must ensure that the cloud computing service providers have measures in place to properly dispose of all records in the cloud infrastructure. Contracts with cloud service providers should include specific requirements as to when and how information will be removed from the cloud.
Cloud service providers should be considered as outsourcers. Therefore, organizations must put in place specific contractual measures with the service provider to secure the information, require the service provider to provide privacy controls equal to or greater than of the organization sharing the data, and to ensure access and right of correction to individuals whose information is stored on the service provider’s cloud infrastructure.
The OPC noted that its jurisdiction over personal information can extend across national borders where there is the presence of a real and substantial connection between the wrongdoing and the jurisdiction. The paper provides an overview of the case of Lawson v. Accusearch, Inc., and noted that “Accusearch, then, establishes that notwithstanding the extraterritoriality of a company or Web site, where the privacy commissioner of Canada has jurisdiction over the subject matter of a complaint and can establish a real and substantial connection to Canada, she may exert jurisdiction over the complaint.”
The OPC noted that complaints about cloud computing are likely to arise from one of the four following situations:
- an organization choosing to use cloud infrastructure for data storage and/or processing;
- an organization or government body creating a private cloud infrastructure to facilitate information sharing within its environs;
- an individual user who interacts with a cloud application; or
- the misuse of data by a cloud infrastructure provider to whom it has been provided.
In the first situation, this action would be considered a transfer for processing. Principle 4.1.3 requires that the service provider provide a comparable level of protection for the information.
In the second, third, and fourth situations, the provisions of the applicable legislation (i.e. PIPEDA or the Privacy Act ) would apply to the complaint.
In summary, while cloud computing creates significant benefits for organizations, those organizations need to be fully aware of all of the risks associated with these applications and put in place appropriate measures to fully protect the personal information being entrusted to the cloud.
