Many Canadian organizations have complex information technology needs. They store large volumes of personal data that need to be easily accessible, yet also protected by strong privacy safeguards. They need private and secure means for communication and data sharing. Cloud services appear to be a promising option to meet some of these needs; they offer to eliminate the expense of maintaining secure servers and deliver easy but secure data access and improved features. Cloud services are also typically more interoperable than local systems. It appears to be a cost-effective and convenient solution.

However, the decision to move to the cloud needs to be examined carefully from the perspective of privacy and security. Most cloud service providers are based in the U.S., and it can be difficult to assess whether these companies are in compliance with Canadian privacy laws and standards. Organizations often ask whether the promises of compliance with the U.S. Health Insurance Portability and Accountability Act or with Federal Trade Commission recommendations, are relevant in evaluating compliance with Canadian privacy laws.

In other words, does legal compliance translate, in full or in part, from one jurisdiction to another?

ADVERTISEMENT

HCCA 29th Annual Compliance Institute

Key Differences between U.S. and Canadian privacy models

There is no question that Canada and the U.S. have substantially different models of privacy regulation and enforcement.

Data privacy in the U.S. is regulated by a constantly evolving patchwork of federal and state laws. There is no one overarching federal privacy law. Rather, federal privacy laws are specific to regulated industries such as health care and financial services. Outside of the regulated industries context, the Federal Trade Commission is the primary federal privacy regulator. Based on its mandate of consumer protection, the FTC has gradually taken on a broad authority to bring privacy enforcement actions against entities whose information practices have been deemed “deceptive” or “unfair.” In addition, the FTC has general authority to issue consumer protection regulations and to investigate corporate compliance with posted privacy policies.

Canada, on the other hand, has a federal commercial privacy law, the Personal Information Protection and Electronic Documents Act, in addition to sectoral privacy laws for health care and financial institutions. PIPEDA sets out ten privacy principles with which most organizations that handle personal information, including businesses and non-profit organizations, must comply. Canada also has a designated privacy regulator, the Office of the Privacy Commissioner of Canada, which investigates privacy complaints, audits organizations and issues regulations for the implementation of PIPEDA and other federal privacy laws.

The state of privacy in the U.S. cannot be understood apart from its national security legislation. Legislation such as the USA PATRIOT Act and the U.S. National Security Agency’s PRISM project are frequently cited as privacy violations. Additionally, the U.S. Cybersecurity Information Sharing Act, passed in 2015, may legally justify the existence of a catch-all database recording Internet traffic, accessible to multiple levels of government and corporations. These laws create even more uncertainty for organizations looking to use U.S. cloud service providers.

Provincial legislative requirements

Canadian federal privacy law does not regulate cloud services specifically. However, provincial legislation offers more in the way of data transfer requirements when dealing with U.S.-based businesses. In a large part due to concerns about surveillance, several provinces have passed laws prohibiting public bodies, such as health care and educational institutions, from storing personal information outside of Canada.

The table below summarizes the provincial legislative requirements relevant to international cloud service providers.

ProvinceLegal considerations
British Columbia
  • Apart from three exceptions listed in s.30.1 of FIPPA, personal information in the custody of public bodies must be stored in and accessed from inside Canada
  • OIPC has released guidelines for cloud computing
Nova Scotia
  • PIIDPA mandates that personal information in the custody of public bodies must be stored in and accessed from inside Canada
Alberta
  • PIPA (the provincial equivalent of PIPEDA) imposes notice and policy requirements if outsourcing data storage abroad
Quebec
  • Both public and private sector privacy acts require written contracts if using service providers outside of Quebec
  • ELFIT specifies that an appropriate mode of transmission must be used (e.g., encryption) and documented for confidential information
Ontario
  • No legislation, but the IPC has released a white paper regarding architecture design for cloud computing
Other
provinces
  • No provincial legislation specific to cloud computing

Even with these laws, private businesses still turn to PIPEDA and federal government guidance for navigating cloud solutions, as information often crosses provincial or national borders. If the aforementioned provincial legislations are not applicable, PIPEDA mandates that business should use “contractual or other means” to ensure the cloud provider offers an appropriate level of protection.

Insights from the OPC

The OPC’s findings in the past may lend some insight and precedent into how using U.S. cloud services will impact Canadian businesses in the future. The commissioner investigated complaints regarding Canadian bank CIBC’s outsourcing of financial services to third-party providers in the U.S.; the investigation concluded that the complaints were not well-founded, as CIBC had made every effort to comply with existing federal privacy laws through using contracts and oversight.

In another case, when a Canadian-based security system company shared customers’ personal information with its U.S. parent company, it notified customers and offered opt-out opportunities. Again, the OPC deemed the complaints against the company not well-founded, as the company’s practices were aligned with the purposes for which the PI was originally collected and appropriate notification was given.

These incidents reveal that Canadian privacy laws are not intended to be a barrier to international business, but rather a consideration to be taken into account.

Conclusion

Canadian organizations considering using American cloud services should carefully consider how to ensure legal compliance and enforce contracts regarding comparable levels of protection. These contracts should provide guarantees for confidentiality and security of PI, and allow for oversight, monitoring, and audits of the service provider; these are terms that the OPC has found satisfactory in past investigations.

American companies looking to provide cloud services to Canadian organizations would benefit by offering the basic functions and features for their clients to comply with Canadian laws. Committing to breach notification and data destruction, plus offering the option to encrypt data at rest and allowing clients to retain control of their private and public keys would make it easier for Canadian companies to utilize U.S-based cloud providers.

That said, even with contracts in place and data protection services, the data is subject to the laws of the service provider’s country, thus the U.S. PATRIOT Act and CISA will continue to create outstanding concerns for Canadian organizations.

photo credit: Twin Bridges via photopin(license)