Privacy and Cloud Computing - LawNow Magazine

Privacy and Cloud Computing

cloudThe term ‘cloud computing’ refers to the provision of services through websites available on the Internet. These services are typically on demand and scalable such that the user can expand her or his use of the services dramatically. Storing picture, emails or materials on the Internet is use of cloud computing.

The services are typically also provided on a per usage basis (a pooled resource or utility model where resources may be shared and pooled) although many consumer-based services may be provided without charge (such as Google’s ‘Gmail’, Facebook’s social media service or similar such services) and on terms where the user agrees to accept ads in exchange for the service. Broad network access is typically a feature of such services.

The use of cloud-based services often is at very low cost: the services may be accessible from anywhere an Internet connection is available and, therefore, the services provide many benefits. The May 2010 Report of the Office of the Privacy Commissioner of Canada’s Consultations on Online Tracking, Profiling and Targeting, and Cloud Computing states:

Some of the benefits to users (businesses, especially small and medium-sized enterprises, governments and individuals) include scalability (offers unlimited processing and storage capacity), reliability (eliminates the concern of losing valuable data in paper format or via the loss of laptops or hard drives; enables access to applications and documents anywhere in the world via the Internet), cost savings, efficiency (frees up resources to focus on innovation and product development) and access to new technologies. Some … noted that since cloud users do not have to invest in information technology infrastructure, purchase hardware or buy software licences, the benefits are low up-front costs, rapid return on investment, rapid deployment, customization, flexible use and Internet scale solutions that can make use of new web-based innovations.

As a result, there has been considerable growth in the provision of cloud-based services and increasingly users are saving their personal data and information on cloud-based services. In such a case it is useful to review the requirements of mandatory privacy law in addressing cloud computing issues.

In its assessment of Facebook, the Privacy Commissioner of Canada found that users can not opt out of receiving Facebook ads which are provided to all users, but that such a business model was reasonable and was accepted under Personal Information Protection and Electronic Documents Act (PIPEDA).1

The Commissioner went on to examine if the advertising purposes were “explicitly specified” (Principle 4.3.3) and whether Facebook is making a reasonable enough effort to notify users of those purposes (Principle 4.2.3).

The Facebook decision sets the stage for an assessment of privacy in the cloud computing context. Social media services, email services, and many other services are provided on the Internet and are all forms of cloud computing. Many organizations may find that some parts of the organizations are already using the cloud (the Internet) for some services such an online document collaboration services, email or remote access services. The first step in seeking consent of users to such services is to clearly disclose the purposes for which personal information is being collected by the cloud service provider.

Another factor and a key risk of sharing personal information with others is that inadequate security may be provided for the information and some of the personal information may be improperly disclosed or used without the applicable individual’s consent. This is, of course, also a risk for cloud-based computing as the Internet structure requires many entities to be involved in the provision of an applicable service.2 Data may be stored in locations unknown or unfamiliar to users and there is the risk of accidental or deliberate breaches of security.

Many cloud-based services available to Canadians are based in the United States or other countries. It is clear that under Canada’s mandatory private sector privacy legislation one may use a foreign based service provider. The Federal Privacy Commissioner has ruled (case #313) that PIPEDA does not prohibit a businesses’ use of foreign based third-party service providers.

Where a Canadian business is having personal information of third parties that it has collected processed by others, then that business remains accountable for the proper care, use and protection of that personal information, including limiting its use to the purposes for which it was collected, and for the provision of appropriate security to safeguard the information. Of course, Canadian organizations must have provisions in place when using third party service providers to ensure a comparable level of protection for the personal information with that in Canada.

The Federal Commissioner has recommended that a company in Canada that outsources information processing (such as what occurs in cloud-based processing) to the U.S. or other foreign jurisdiction should notify its customers that the information may be available to the U.S. or other foreign agencies under a lawful order made in that country (case #313).

Some provincial privacy laws, such as in Alberta, also speak to this issue. Alberta’s Personal Information Protection Act (PIPA) requires organizations to provide notice to individuals at or before the time of collection of their personal information, if their personal information will be transferred to a service provider located outside of Canada.

Users should review the terms of the agreements with cloud service providers to understand the risks of the relationship so that the user can make informed decisions suitable for their circumstances.

Since cloud-based services are intended to be dramatically scalable and very low cost, the cloud vendor often provides the services on the basis of standard terms which are protective of the service provider’s operations and often on an ‘as is’ basis. Such terms may not meet the minimum needs for some degree of accountability that many business users will require. Businesses should be careful to review and, if not appropriate, not adopt consumer grade terms for business critical functions. Among the privacy considerations items that a user should review and understand in a cloud service provider’s agreement include:

  • what commitments are made to confirm control over the personal information by the user (e.g. confirmation that the data belongs to the user, audit rights, etc.);
  • commitments that the personal information/data will not be used for any purpose other than as set out in the privacy policy;
  • confirmation that the uses proposed in the privacy policy are reasonable to the user – e.g. the user should review and understand what those uses are and look especially for any secondary uses she or he might object to;
  • arrangements made by the service provider to provide for reasonable security of the personal information/data and how the user will get its data back should it terminate use of the service;
  • any limits on the liability of the service provider’s liability for defaults on injuries it may cause to the user;
  • any limits on the remedies of the user in case of breaches by the service provider
  • which law will apply; and
  • any agreed form for dispute resolution.

A useful list of considerations was developed by the Alberta, British Columbia and Federal Privacy Commissioners5 and serves as a guide for small businesses seeking to consider taking advantage of the efficiencies and cost effectiveness of cloud-based services. This document provides a good preliminary checklist of issues that a business or other organization should consider before adopting a cloud-based solution.

There are, of course, many differently nuanced concerns that should be addressed during any proposed move to embrace cloud computing in mainstream business operations. The following list provides a range of some of the terms that such a company may wish to include in a cloud computing contract, beyond the standard terms and conditions.

  • Services are to be provided in a “good and workmanlike” or “professional” manner.
  • Data belongs to the customer (or customer’s customers) and will be returned on demand in a useable format.
  • Prohibition against suspension of service without sufficient notice from provider; fee disputes will not be a sufficient reason to suspend the service.
  • No deletion of dormant accounts without sufficient notice to the customer.
  • Termination assistance: the cloud provider is required to provide transition and conversion assistance so that data and functionality can be moved to another system after termination (usually at the customer’s cost, but at the vendor’s normal rates).
  • Caps on fee increases year-over-year.
  • Litigation or regulatory change co-operation assistance (such as changes to privacy laws, breach reporting requirements, and so on) usually at the customer’s cost, but at the vendor’s normal rates.
  • Systems perform to specifications, which are rational.
  • Systems as operated will not infringe third-party IP rights.
  • Vendor bears some responsibility for data losses (not included in limitation of liability clauses) and obligation to provide disaster recovery plan (beforehand) and assistance (afterward) at no additional cost.
  • Vendor is obliged to identify third-party service providers and subcontractors, and the customer has the right to audit. (There is not much else the customer can do.)
  • Vendor to permit the customer to audit security, subcontracts, data recovery and backup plans (periodically).
  • Vendor has a duty to report (auditable) service level compliance (uptime, lag and latency, and so on).
  • Data Location. Some agencies are regulated as to where data can reside or be processed or stored (for example, health care, financial services, and public bodies.) This must be imposed on the vendor (who must impose it on subcontractors).
  • No secondary commercial use or disclosure of customer data (or the customer’s customers’ data) by cloud provider or its subcontractors.
  • Compatible applicable law, dispute resolution procedures, etc.
  • Regulatory and customer enquiry or complaint “pass-through” obligations (on the vendor) so that the customer is not blind-sided.

A thoughtful and informed understanding of the privacy implications of the use of cloud computing and taking reasonable steps to confirm satisfactory control, limit uses and disclosure of that personal information by a cloud service provider will help the user to make more informed decisions and seek to benefit from the many advantages of cloud computing.

Notes

1 See PIPEDA Case Summary #2009-008, “Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. Under the Personal Information Protection and Electronic Documents Act”, July 16, 2009.

2 There are typically many organizations involved behind the scenes to make a service available and they might include a data centre operator, operating system service provider, application service provider, data recovery service provider, providers of the infrastructure, data storage and tools used to provide the service as well as all participants involved in the provision of the internet connectivity to and from the service provider’s website.

3 See “Cloud Computing for Small and Medium-sized Enterprises: Privacy Responsibilities and Considerations” jointly issued by the OIPC Alberta, Office of the Privacy Commissioner of Canada and OIPC of BC, June 14, 2012. Web link is at: http://www.priv.gc.ca/information/pub/gd_ cc_201206_e.asp

Trackbacks

  1. […] In the latest issue of LawNow Magazine, the Special Report looked at developments in Internet law, including privacy and cloud computing. […]

Authors:

Martin Kratz, QC
Martin Kratz, Q.C. is the Head, Intellectual Property Group, Bennett Jones LLP in Calgary, Alberta.
 


A Publication of CPLEA