Storing your data in the cloud is one thing, but where the server is located is another. Different countries have different rules, after all. At Cloudwards.net, we usually look at the bad examples, but, in this article, we’re going to look at cloud storage in Canada to determine whether it might serve as a good one.
If your data is stored on servers in the U.S., laws such as the Patriot Act, PRISM and CLOUD will apply to it, all of which allow authorities to rifle through your files. If you use Canadian servers, it falls under Canada’s jurisdiction, though, and laws there arguably take better care of your privacy.
Canada has provincial and federal laws that apply to cloud storage providers. On the federal level, laws that govern your data and privacy are the Privacy Act and the Personal Information Protection and Electronic Documents Act, or PIPEDA for those of us without eidetic memories.
Some provinces have laws similar to PIPEDA and cloud services that operate entirely within them fall under the jurisdiction of those laws. Examples include Alberta’s Personal Information Protection Act, British Columbia’s Personal Information Protection Act and Quebec’s Act Respecting the Protection of Personal Information in the Private Sector.
Other provinces — New Brunswick, Nova Scotia and Ontario — have privacy laws on health that are similar to PIPEDA. For example, Ontario’s Personal Health Information Protection Act.
Let’s take a look at the federal laws now, as they’re impressive.
The Privacy Act
The Privacy Act doesn’t apply to data held by private organizations, such as cloud storage services, but to data about private citizens that’s held by the government. Citizens have a right to access and correct that information.
The act only applies to federal entities listed in the Privacy Act Schedule of Institutions. It concerns personal information the federal government collects, uses and discloses, including about federal employees, but not political parties and their representatives. Personal information is data “about an identifiable individual.”
The Personal Information Protection and Electronic Documents Act
Since cloud storage services don’t fall under the jurisdiction of the Privacy Act, they must be compliant with PIPEDA.
Organizations covered by it must have an individual’s consent to collect, use or disclose their personal information. People have a right to access the information about them held by an organization. If that data is going to be used for a purpose other than the one it was collected for, the organization must ask for consent again.
How PIPEDA Applies
Personal information includes facts or subjective information, be it recorded or not, about a person. This includes information such as:
- Age, name, ID numbers, income, ethnic origin or blood type
- opinions, evaluations, comments, social status or disciplinary actions
- employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant and intentions (for example, to acquire goods or services or change jobs)
There are situations, though where PIPEDA doesn’t apply:
- Provincial or territorial governments and their agents
- Business contact information such as an employee’s name, title, business address, telephone number or email addresses that are collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession
- An individual’s collection, use or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list)
- An organization’s collection, use or disclosure of personal information solely for journalistic, artistic or literary purposes
Interestingly, nonprofits, charity groups, political parties and associations are not subject to PIPEDA unless they are engaging in commercial activities that aren’t central to their mission and involve personal information.
Complaints to the Office of the Privacy Commissioner of Canada
Individuals may complain to the organization that breached the law or to the Office of the Privacy Commissioner of Canada. Complaints might include cloud storage employees violating the privacy of your data, for example. The office seeks to resolve issues through investigation, persuasion, mediation and conciliation, instead of the court system.
When a complaint can be resolved quickly, an early resolution officer will handle it. The officer works with both parties to resolve the complaint. In some cases, it can be resolved in days, rather than months.
PIPEDA Fair Information Principles
There are 10 basic information principles that make up the act:
- Accountability: a cloud storage organization is responsible for the data it holds and must appoint someone to oversee its compliance with these principles.
- Identifying Purposes: an organization must identify the purposes for which it collects data, either before or during the collection
- Consent: before collecting, using or disclosing personal information, an organization must inform the individual and ask for consent
- Limiting Collection: collection of personal information should be limited to what’s necessary
- Limiting Use: personal information can only be disclosed to cloud services for the purpose of storage, unless an individual consents or is required by law, and the cloud storage organization can hold the information until it serves its purposes
- Accuracy: personal information collected and stored by cloud storage providers must be accurate, complete and up-to-date
- Safeguards: personal information must be protected
- Openness: a cloud storage organization’s policies and practices regarding personal information must be publicly available
- Individual Access: individuals must be informed about the management of their personal information upon request and those individuals can challenge the accuracy of the information and update it as necessary
- Challenging Compliance: an individual can challenge a cloud storage provider’s compliance with these principles.
Many of the principles that make up PIPEDA were devised about 20 years ago, which is a long time in the world of technology and privacy, and it shows.
Today, there are more cloud storage services, holding terabytes of data, as well as other technologies that might not fit the scope of the law. Interim measures were designed to compensate for that, but their implementation isn’t complete, according to an article by Michael Geist of the University of Ottawa, Faculty of Law.
PIPEDA came under scrutiny on the heels of a comprehensive report published by the federal Standing Committee on Access to Information, Privacy and Ethics on Feb. 28, 2018. It recommended stricter legislation and enforcement.
Much of the incentive for making changes comes from Europe adopting the General Data Protection Regulation. Its adoption made websites and services, such as cloud storage, scramble to comply before May 25, 2018.
The GDPR implements stricter rules and jeopardizes Canada’s adequacy status, which allows for free data flow between it and the EU.
PIPEDA will have to be updated and Canadian companies that work with European clients will need to comply with those changes. Otherwise, Canada might face restrictions on data transfers between it and the EU.
The adoption of GDPR could lead to the spread of similar rules to other countries. The regulation raised the bar for everyone. Canada doesn’t need to adopt exactly the same set of rules as in Europe, but it sets an important standard, at least, according to Federal Privacy Commissioner Daniel Therrien, who talked about it in an interview.
The report on the modernization of PIPEDA also found that the act is no longer fit for its purpose and the rules for consent need to be stricter. Those findings translate to 19 suggestions for updates to PIPEDA.
Those included that the principle of consent should be enhanced, while a right for erasure similar to that in the EU should be included. The right to be forgotten, or de-indexed in online search results, was another suggestion.
The report specifically mentioned the concept of “privacy by design.” In essence, it advocated that privacy should be considered in every phase of a product’s development. That way, privacy would be protected, whether or not an individual took action to ensure it.
It raised awareness of the importance of metadata — information about a person without identifying details — and acknowledged there’s a risk of re-identification. It also recommended that the government study how best to protect such data.
Another suggestion was that people should have a right to data “portability,” or the ability to transfer their information to another service, which is, again, similar to the European model. The right to erasure is another concept from that model. It concerns giving people the right to remove online information about themselves.
The report also addressed frequent calls by the Office of the Privacy Commissioner of Canada for an increase in enforcement powers, including the right to impose fines and having more flexibility in choosing what to investigate.
The government has already made one change to PIPEDA regarding breach notifications. Mandatory breach notification will come into effect on Nov. 1, 2018. It said that organizations will have to notify individuals about privacy breaches, report those breaches to the Office of the Privacy Commissioner of Canada and keep records of them.
Not everyone is singing the praises of these new changes. Some in the advertising industry are talking about the consequences of the recommendations on Canada’s economy. Specifically, they are concerned about the idea of an “opt-in” system becoming the default way of consent to use personal information.
“The way it is now, there is a reasonable exchange that doesn’t require explicit opt-in between the consumer and the online experience,” Sonia Carreno, president of the Interactive Advertising Bureau of Canada, said. “To make it the default creates friction. What we’re worried about is, where will this lead?”
Some of those doubts apply to cloud storage services, as well.
Canada has a good foundation for protecting privacy with its federal and provincial laws. After almost two decades, PIPEDA is in dire need of an update, though. The government will have to rush to make it agreeable with the GDPR while finding a balance between protecting individual privacy and taking care of businesses.
The situation in Canada is still a far cry from the one in the U.S. Choosing any provider operating on Canadian soil will protect your privacy more. Sync.com and OneDrive for Business are two examples. If you want to be doubly sure about your privacy, it never hurts to use a virtual private network. Read our best VPN for Canada article for help choosing one.
What are your thoughts about privacy in Canada? Do you think the recommendations will help improve laws while not hampering businesses? Let us know in the comments below. Thank you for reading.