While the benefits of cloud computing have been well documented in recent years, volatile conditions currently experienced as a result of COVID-19 have further highlighted the flexibility inherent in the use of cloud infrastructure. Market reports estimate that the global impact of COVID-19 on cloud market size is expected to increase from USD 233 billion in 2019 to USD 295 billion by 2021. Similarly, in a recent industry survey on cloud usage, more than 50% of participants indicated that their cloud usage will be higher than initially planned due to COVID-19. It seems that now more than ever, the reality of remote work places, business continuity implementation, and collaboration efficiency has caused organizations to implement cloud computing as part of their IT infrastructure.
In evaluating the risks and practicality of implementing cloud computing, private sector organizations operating in Canada should consider (i) applicable privacy laws, (ii) any existing contractual limitations, and (iii) industry specific regulations and/or guidance from regulatory bodies, if applicable.
Generally speaking, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) covers how businesses collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada, except in provinces that have adopted substantially similar privacy legislation (namely Québec, British Columbia, and Alberta).
While PIPEDA does not contain provisions that explicitly regulate cloud services, and does not prohibit the processing of personal data by third parties, including processing across borders, it does establish rules governing the use of third parties in processing personal data—particularly with respect to obtaining consent for the collection, use and disclosure of personal information, securing the data, and ensuring accountability for the information, and transparency in terms of its practices.
Transferring organizations should consider what information will be stored in the cloud and why, further taking into account the sensitivity of the personal information and carefully assessing all the risks and implications involved in outsourcing personal data to the cloud. Similarly, organizations should consider potential data security issues when evaluating a cloud provider and negotiating contracts or reviewing terms of service. In implementing cloud infrastructure, the organization is still accountable for the information at the hands of its service provider, and as such, should use contractual or other means to provide a comparable level of protection while the information is being processed and stored by the third party.
Organizations using cloud computing services should (i) limit access to the information and restrict further uses by the provider, (ii) ensure that the provider has in place appropriate authentication/access controls, (iii) manage encryption methods and determine if the encryption method is adequate, (iv) ensure that there are procedures in place in the event of a personal information breach or security incident, (v) ensure that there are procedures in place in the event of an outage to ensure business continuity and prevent data loss, (vi) ensure periodic audits are performed, and (vii) ensure the termination procedures permit the transfer of personal information back to the organization and require that the cloud provider securely delete all personal information within reasonable and specified timeframes.
To the extent that personal information is stored on servers outside of Canada, organizations should also ensure that data subjects are able to assess any risks associated with cross border transfers. Organizations need to make it plain to individuals that their information may be processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that jurisdiction.
Also relevant are contractual obligations that may restrict or limit an organization’s ability to use third party service providers. In considering moving to the cloud, organizations should review and consider its contractual obligations to ensure that confidentiality and data security provisions do not limit or prohibit the sharing of certain data with service providers. Some common contractual terms that may be relevant are the obligation to provide notice or obtain consent when onboarding new service providers, and/or the requirement to ensure that third party service providers maintain adequate levels of insurance coverage.
Industry specific considerations
Also potentially applicable within certain industries, are industry specific guidance documents established by regulatory bodies. As an example, the Office of the Superintendent of Financial Institutions (“OSFI”) has published the B-10 Outsourcing of Business Activities, Functions and Processes guidelines, which set out OSFI’s expectations for federally regulated entities, such as banks, that outsource to a service provider. While such guidance documents may not regulate the implementation of cloud computing specifically, they may capture outsourcing arrangements generally, and as such, should be considered by organizations, if applicable.