2010 Consumer Privacy Consultations
Notice of Consultation and Call for Submissions
Privacy Implications of Cloud Computing
The Office of the Privacy Commissioner of Canada (OPC) invites your views on the privacy issues related to cloud computing practices and their implications for individuals, organizations, and businesses.
The aim of this consumer consultation is to learn more about cloud computing technology, explore its privacy implications, and find out what privacy protections Canadians expect with respect to cloud computing. The consultation is also intended to promote debate about the impact of these technological developments on privacy, and to inform the next review process for the Personal Information Protection and Electronic Documents Act (PIPEDA).
This is the second OPC privacy consultation in 2010, following the two-part Online Tracking, Profiling and Targeting consultation that was launched on January 18, 2010.
The consultation will begin with an open period for the submission of comments or papers by interested parties. The deadline for submissions is April 15, 2010. This will be followed by a focused panel discussion in Calgary in June. The Office welcomes applications for panel participation from a broad range of participants. Some audience seating will be available, and the event will also be webcast.
Cloud computing is defined in many different ways: in general, it is the provision of web-based services, located on remote computers, that allow individuals and businesses to use software and hardware managed by third parties. Examples of these services include online file storage, social networking sites, webmail, and online business applications. The cloud computing model allows access to information and computer resources from anywhere that a network connection is available. Cloud computing provides a shared pool of resources, including data storage space, networks, computer processing power, and specialized corporate and user applications.
Proponents of cloud computing have highlighted its advantages, including free or low-cost use of file storage space and easy access to data and computer programs by users, regardless of their location. Businesses and consumers can use powerful computer hardware and software without having to purchase it themselves, giving them a simple and less-costly way to manage and store information.
However, critics have warned about privacy and security risks arising from data storage on remote computers. For example, cloud computing services collect and store increasingly large amounts of information, and users may lose control over who has access to this information, where it may be stored, and how it might be used, retained, or disclosed. Because data stored within a cloud can be stored in different countries, and may be transmitted to computers in different geographic locations, the information may be subject to the laws of the specific location of the physical computer that holds the data.
The aim of this consumer consultation is to learn more about cloud computing, explore its privacy implications, and find out what privacy protections Canadians expect with respect to cloud computing. The consultation is also intended to promote debate about the impact of these technological developments on privacy, and to inform the next PIPEDA review process.
In advance of the panel discussion, we welcome written submissions of a maximum of 15 pages on the privacy implications of cloud computing. We are especially interested in the following issues:
THE DIGITAL ENVIRONMENT
- Current industry practices and business models:
- Some current technologies:
- Consumer awareness:
- Citizens’ attitudes:
- Individual practices:
- Risks consumers take with their personal information
PRINCIPLES FOR INFORMATION GOVERNANCE
- Accountability (obtaining consent, individual access, accuracy, correction, redress)
- Transparency (public notice, privacy policies, corporate compliance)
- Consent (opt-in, opt-out, express, implied)
- Security (encryption, de-personalization, anonymity)
- Oversight (review, audits, impact assessments)
- Safeguards (retention, disposal, destruction)