Issue link: https://digital.canadianlawyermag.com/i/130229
law. This means the third party processor must be able to provide protection comparable to the level of protection that would otherwise have applied to the information, had it not been transferred; and • The transferring organization ensures that disclosure is made to individuals including notice that: (i) their information will be transferred outside of Canada for the purpose of storage and processing; (ii) their information will be subject to the laws of a foreign jurisdiction; and (iii) the laws of that other jurisdiction may be different (and less protective) than those in Canada. Where an organization transfers personal information to a cloud-infrastructure provider, its actions may fall under the watch of Canada's Privacy Commissioner under the Personal Information Protection and Electronic Documents Act, even if the cloud is private. As well, data transferred to a cloud in another country will be subject to the privacy laws of that country – for example, personal information transferred to the United States will be subject to the Patriot Act. Where the privacy commissioner has jurisdiction over the subject matter of a complaint but the complaint deals with cloud infrastructures located outside of Canada, the privacy commissioner may still exert jurisdiction where there is a "real and substantial connection" to Canada. This is a constitutional requirement to ensure that Canada is only involved in matters where its interests are engaged. Recent jurisprudence suggests that a higher standard of connection may be required in international situations. In a 2006 Federal Court case, the fact that the plaintiff suffered damage via a computer in Canada wasn't sufficient to establish a connection where the defendant company had no physical presence or business assets in Canada. The Federal Court determined it would be unfair to subject the defendant company to the jurisdiction of a Canadian court because it would mean that a company could be sued in any jurisdiction in which its products are downloaded. It's also noted that public bodies or governmental organizations, or persons retained to perform certain services for a public body, may also be required to ensure that personal information is stored in and accessible only from Canada (e.g. provincial legislation such as Nova Scotia's Personal Information International Disclosure Protection Act). However, some important exceptions may apply, such as instances where consent has been given to store the personal information outside Canada. What are risk management options? An organization can actively reduce the risks associated with cloud computing by keeping in mind the following: • Parties to a data related contract should pay special attention to their respective rights/obligations related to notifications for breach of security, data transfers, creation of derivative (or modified) works of copyright, change of control and access to data by law enforcement entities; • An organization should learn about the jurisdiction(s) in which its data is being stored and what privacy laws or data protection laws apply in the country(ies) of storage – for example, the European Union has relatively stringent data protection laws compared to other jurisdictions; • An organization shouldn't move all information to a cloud in all circumstances – for example, confidential and sensitive information may become inadvertently mixed with third-party data in a cloud, such that the organization loses control over where the data is stored (and therefore where the data is accessible); • An organization which is transferring data should be aware of its overall responsibility for the protection of the information – it's important to review the terms of any service agreement with the cloud-infrastructure provider to ensure that adequate protection will be provided; • Customers may need to be notified or given opt-out/termination opportunities related to the data transfer, depending on the scope of the organization's privacy policy or other customer commitments; and • An organization should consider including specific terms in its contract with the cloud-infrastructure provider to ensure adequate protection of the data against legal uncertainties. Daniela Bassan, partner Halifax, N.S. 902.420.3354 dbassan@stewartmckelvey.com Michelle Chai, associate Halifax, N.S. 902.420.3200 mchai@stewartmckelvey.com Doing Business in Atlantic Canada SUMMER 2013 3