March 30, 2010
It appears that the growing adoption of cloud computing, combined with the outdated Electronic Communications Privacy Act, is adding pressure in the U.S. for an updated online privacy law to help better protect cloud computers.
CNET is reporting today that “a broad coalition of companies including Google, Microsoft, and AT&T, joined by liberal and conservative advocacy groups, will announce a major push [today] to update federal privacy laws to protect mobile and cloud computing users”.
Of course, in Canada cloud computers have the benefit of PIPEDA and – where they exist – substantially similar provincial privacy laws. To learn more about cloud computing, and related privacy law implications, you may want to check out this previous post.
Leave a Comment » | 
Cloud Computing, Internet, Mobile devices, Privacy, Smartphones | Tagged: Cloud Computing, Internet, Mobile devices, Outsourcing, Privacy | 
Permalink
Posted by Brian Bowman
July 27, 2009
Have you heard the term “cloud computing“, but aren’t really clear what it means?
Cloud computing is an umbrella term that refers to the use of Internet-hosted computer services. Think of your server — instead of having one in-house server located on company premises, an organization might opt to buy space on a third-party provider’s server. Other options include software hosting and data storage. By purchasing computing services from a variety of Internet-based providers, your computer needs are housed within a larger “cloud” of computer services.
Some organizations are opting for ”Software as a service” (SaaS), and allowing their data to reside on other company’s servers, or “the cloud“. Users only have to buy the space they need, which allows organizations to save money on their technology costs. Other benefits include access to people with technological know-how, flexibility and reduced maintenance costs.
Cloud computing is not new, but is now embedded into the fabric of modern business operations. In fact, the Los Angeles Times has reported that the city of Los Angeles is considering using Google applications for all of its software needs.
Privacy issues related to cloud computing, however, are profound. For example, many of the security questions that relate to traditional third-party data hosting were raised when a hacker broke into a Twitter employee’s work e-mail account and stole confidential company documents. The World Privacy Forum, meanwhile, has released a 28-page report on some of the privacy issues that relate to cloud computing. The report concludes that sharing information may expose some business users to liability, and emphasizes the importance of checking a cloud provider’s terms of service, privacy policy, and location.
Canadian businesses that engage in cloud computing should be reminded that they must do so in compliance with applicable privacy laws. For example, the Personal Information and Protection of Electronic Documents Act obliges organizations that transfer personal information to third parties to ensure appropriate security safeguards are in place.
They should also be mindful of the raging debate about the perils of cloud computing that has been underway now for some time. While cloud computing has the potential to provide benefits, organizations should ask themselves whether it is worth the risks it poses. You might save money in the short run, but is it worth the potential of a massive privacy breach?
2 Comments | Internet, PIPEDA, Privacy, Technology | Tagged: Businesses, Corporate Information, Information Technology, Internet, Outsourcing, Personal Information, PIPEDA, Privacy, Privacy Compliance, Technology | Permalink
Posted by Brian Bowman
March 3, 2009
The Office of the Privacy Commissioner of Canada (OPC) has published some useful Guidelines for Processing Personal Data Across Borders to explain how the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to transfers of personal information to third parties, including third parties operating outside of Canada, for processing.
As the OPC points out, PIPEDA does not prohibit organizations in Canada from transferring personal information to organizations in other jurisdictions for processing, but Canadian organizations are still accountable and the OPC can investigate complaints and audit privacy practices of Canadian organizations.
PIPEDA provides that
an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
The primary means by which an organization can protect personal information that it transfers to a third party for processing is through a contract. Organizations must also be transparent about their privacy practices, including advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction, it may be accessed by the courts, law enforcement and national security authorities.
Check out the OPC’s Guidelines, and if your business hasn’t yet signed privacy contracts with all third parties to whom you transfer or disclose personal information, now may be the time.
2 Comments | Due Diligence, PIPEDA, Privacy, Safeguarding | Tagged: Border Protection, Due Diligence, Outsourcing, Personal Information, PIPEDA, Privacy, Privacy Commissioner, Privacy Compliance, Safeguarding, U.S. Patriot Act | Permalink
Posted by Brian Bowman
February 12, 2009
Canada, U.S. laws on privacy complex
My September 3, 2008 column in the Winnipeg Free Press reports on the findings of the Privacy Commissioner of Canada regarding canada.com’s outsourcing to a U.S. based service provider. The finding highlights the complexities of Canadian and U.S. laws as they relate to the personal information of customers and reminds Canadian businesses of the need to have legal agreements with third party service providers, especially those located in the U.S.
Leave a Comment » | Due Diligence, Government, Privacy, Safekeeping | Tagged: Customers, Due Diligence, E-mail, Outsourcing, PIPEDA, Privacy, Safeguarding, U.S. Patriot Act | Permalink
Posted by Brian Bowman
February 6, 2009
Leave a Comment » | Access to Information, PIPEDA, Privacy, Security | Tagged: Access to Information, Canadian Bar Association, Outsourcing, Personal Information, PIPEDA, Privacy, Security | Permalink
Posted by Brian Bowman
It appears that the growing adoption of cloud computing, combined with the outdated Electronic Communications Privacy Act, is adding pressure in the U.S. for an updated online privacy law to help better protect cloud computers.
Time to amend the Personal Information Act
Outsourcing comes with risks; U.S. service providers bring privacy concerns 
