From the Office of the Privacy Commissioner of Canada:
Executive Summary:
Cloud computing is a general term for an emerging kind of infrastructure. It describes any system where information and/or applications are stored online, allowing access to be achieved by the user via a device. For the purposes of that application or data the personal computer becomes in essence a “dumb terminal”, a machine that interacts with a cloud-mainframe in order to store, retrieve, or manipulate data.
Overarchingly, the cloud computing model raises concerns about:
- Appearance of jurisdictional neutrality
- Consumer lack of control
- Compromising meaningful consent to advertising
- Function creep
- Innovation dampening
There are also privacy-specific issues inherent in the cloud infrastructure:
- Jurisdiction
- Creation of new data
- Security
- Data intrusions
- Lawful access
- Processing
- Misuse of data
- Data permanence
- Data ownership
Where the Privacy Commissioner has jurisdiction over the subject matter of a complaint but the complaint deals with cloud infrastructure(s) and thus is not obviously located in Canada, current jurisprudence is clear that the Privacy Commissioner may exert jurisdiction when her assessment indicates that a real and substantial connection to Canada exists.
Real and substantial connection, as a test, must be approached from the standpoint of principled flexibility and although the jurisprudence sets out a number of factors that may be considered in making the assessment, the list is not exhaustive and none of the factors are determinative in and of themselves – it is clear that the assessment must be conducted on a case by case basis, taking into account the entire context of the complaint.
Read the whole paper here.