International E-news - October 2011

  1. Swedish DPA warns about DP risks involved in cloud services
  2. Colombia’s data protection law approved by the Constitutional Court
  3. Canadian bill introduces mandatory data breach notification

1. Swedish DPA warns about DP risks involved in cloud services

The Swedish Data Protection Authority says that an organisation using a cloud service provider remains the data controller, and thus responsible for the data.

In its statement of 30 September, the DPA says that organisations need to put proper data processor agreements in place, and conduct a risk and vulnerability analysis.

The authority has inspected three organisations for their data protection compliance in cloud arrangements, and is critical of all of them.

- At present, we have identified a number of problems to be solved. If these are not addressed, this may require other, more stringent measures, said Göran Gräslund, General Inspector of the DPA.

Organisations which use cloud services seem to have too much trust in the cloud provider. There is, however, uncertainty about what happens to personal data when the contract ends. The authority also notes that customers do not know where the servers are and where the data is stored. Therefore, it is important to be able to provide sufficient assurances that cloud providers take the necessary security measures to protect personal data. Unclear wordings in contracts that allow the cloud provider to unilaterally change the terms is an example of poor compliance, the authority says.

The DPA has now issued guidance which clarifies the requirements of the Swedish DP Act for using cloud services (in Swedish).

Read more about this topic in a future issue of the PL&B International Report

2. Colombia’s data protection law approved by the Constitutional Court

Colombia’s data protection law has been approved by the Constitutional Court, reports Pablo Palazzi, Attorney, Allende & Brea, Buenos Aires. The new law was outlined in PL&B International Report (February 2011 p.18) in an article which forecast its adoption by the Constitutional Court later this year. The new statute, which is likely to be soon signed into law by the President, will benefit the growing call centre business and trade with the European Union.

See further details in Spanish in a report dated 6th October.

3. Canadian bill introduces mandatory data breach notification

Canada’s Parliament is currently discussing a Bill that would require organisations to notify the Privacy Commissioner of data breaches that involve “material breach of security safeguards involving personal information under its control”. A material breach is defined to be one where sensitive data has been disclosed, the breach affects a number of people and an assessment by the organisation indicates that the breach indicates a systemic problem. Individuals need to be notified if there is a real risk of significant harm to them.

In addition, the Bill seeks to specify the elements of valid consent for the collection, use or disclosure of personal information, and exclude, in certain circumstances, business contact information from the requirement of informed consent. This is the case when an organisation collects, uses or discloses personal data solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession.

Bill C-12 was introduced by the federal government on 29 September, after Bill C-29 failed due to Parliament being dissolved in March. If adopted, the Bill will amend the Personal Information Protection and Electronic Documents Act (PIPEDA).

The Bill had its first reading on 29 September.

For further details on the Privacy Laws & Business International Newsletter, please click here.

Copyright Privacy Laws & Business 2011