Cloud Compliance Center

Canada

Select a Topic
Quick Links
Start Comparison

CANADA

This content was last reviewed around March 2023.

Cloud-friendly

1. Are financial institutions legally permitted to use cloud services?

Yes, there is no prohibition on using cloud services under applicable regulatory laws.

2. Are there any rules that apply to cloud use by financial institutions (e.g., rules regarding outsourcing or the use of cloud services)?

B-10 Outsourcing of Business Activities, Functions and Processes ("OSFI B-10 Guidelines")

This sets out the expectations of the Office of the Superintendent of Financial Institutions ("OSFI") for federally regulated entities, such as banks, that outsource to a service provider. Federally regulated entities retain ultimate accountability for all outsourced activities. The OSFI's supervisory powers are not constrained, irrespective of whether an activity is conducted in-house, outsourced or otherwise obtained from a third party.

The OSFI's expectations may vary depending on the nature of the outsourcing arrangement, but institutions are expected to do the following:

  • Evaluate the risks associated with all existing and proposed outsourcing arrangements.
  • Develop a process for determining the materiality of arrangements.
  • Implement a program for managing and monitoring risks, commensurate with the materiality of the arrangements.
  • Ensure that senior management receives information sufficient to enable it to discharge its duties under the guidelines.

In April 2022, the OSFI released a draft update to the OSFI B-10 Guidelines, which the OSFI plans to finalize and issue in 2023-2024. The draft update includes several key changes in relation to the use of cloud service providers. These proposed changes include expanding the definition of risk, scrapping materiality, increased contractual requirements and technology and cyber risk provisions.

An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts ("Bill 26").

On 14 June 2022, the federal government introduced to enact the Critical Cyber Systems Protection Act, which would impose obligations on operators of a "critical cyber system." All operators of a critical cyber system would have 90 days to establish a cybersecurity program that meets the following requirements:

  • Identify and manage any organizational cybersecurity risks.
  • Protect its critical cyber systems from being compromised.
  • Detect any cybersecurity incidents affecting critical cyber systems.
  • Minimize the impact of cybersecurity incidents affecting critical cyber systems.
  • Do anything that is prescribed by the regulations.

3. Are there any specific contractual requirements for cloud outsourcing?

The Office of the Superintendent of Financial Institutions ("OSFI") expects material outsourcing arrangements to be documented by a written contract that addresses all elements of the arrangement and has been reviewed by a financial institution's legal counsel. The contract must satisfy the following:

  • Specify the scope of the relationship.
  • Outline performance measures to allow each party to determine whether the commitments contained in the contract are being fulfilled.
  • Specify the type and frequency of information the bank receives from the service provider. The contract is also expected to include procedures and requirements for the service provider to report events that may have the potential to materially affect the delivery of the service.
  • Specify whether the service provider must continue providing the service during a dispute and the resolution period, as well as the jurisdiction.
  • Specify what constitutes a default, identify remedies and allow for opportunities to cure defaults or terminate the agreement.
  • Outline the service provider's measures for business continuity.
  • Stipulate the audit requirements and at a minimum, give the outsourcer the right to evaluate the service provided and give the OSFI or the Superintendent's representative the right to exercise the contractual rights of the outsourcer relating to the audit.
  • Set out any rules or limitations to subcontracting by the service provider.
  • Set out the bank's requirements for confidentiality and security.
  • Require the service provider to notify the bank about significant changes in insurance coverage and disclose general terms and conditions of the insurance coverage.

In addition, the proposed updates to the B-10 Outsourcing of Business Activities, Functions and Processes would increase contractual requirements to include a list of non-exhaustive provisions.

4. When does cloud outsourcing fall within the scope of the rules?

An outsourcing arrangement for a cloud-hosted system that is central to the outsourcing and benefits the federally regulated entity is likely to fall within the Office of the Superintendent of Financial Institution’s supervisory powers, regardless of whether the system has any users present locally.

5. Does the outsourcing need to be notified to the regulator?

Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts ("Bill 26"), once passed, will require operators to notify their respective regulator of their cybersecurity program. Bill 26 would enact the Critical Cyber Systems Protection Act, which would require operators to annually review their programs, or as otherwise prescribed by the regulations, and to notify the regulator of any changes to their programs.

6. What are the potential consequences for breaching financial services rules on cloud outsourcing?

None. The B-10 Outsourcing of Business Activities, Functions and Processes ("OSFI B-10 Guidelines") are not laws or regulations, and, therefore, attract no specific criminal, administrative, civil or other penalties or sanctions for noncompliance. Consistent failure to adhere to the OSFI B-10 Guidelines could result in an order for remedial action and affect a regulated entity's registration to operate in Canada.

7. Are there any data privacy and/or data security laws that would apply?

Yes. The Personal Information Protection and Electronic Documents Act ("PIPEDA") is a federal private sector privacy law that applies to the collection, use and disclosure of personal information in the course of a commercial activity and across borders, and to federal works, undertakings or business, including banks. There are also several provincial privacy laws in Canada that are substantially similar to PIPEDA.

PIPEDA requires that any organization transferring personal information cross-border for processing by a third party (including a cloud processor) must use contractual means to protect that personal information. Organizations must also be transparent about how they use personal information, including in certain circumstances advising data subjects that their personal information might be transferred to a third party for processing.

The Québec Act Respecting the Protection of Personal Information in the Private Sector ("Québec Act") does not explicitly address the use of cloud services, though it does provide that personal information cannot be released outside of Québec or entrusted to a body or person outside of Québec unless the information is protected at a level that is equivalent to the protection afforded under the Québec Act. The transferred information must only be used for the purposes for which consent was given.

Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, came into force on 22 September 2022, and has and will make changes to the Québec Act. These changes include the following:

  • Mandatory breach reporting requirements
  • Certain exemptions to consent where, for example, use of the information is necessary for the purpose of providing or delivering a service requested by an individual
  • Notification requirements on enterprises to individuals at the time of collecting personal information

8. Are there any restrictions under local data protection laws that would impact the overseas hosting of data?

No. Aside from the restrictions mentioned in Question 7, neither the Personal Information Protection and Electronic Documents Act nor the provincial privacy laws create outright prohibitions on cloud providers hosting data in a data center outside of Canada.

9. Does a cloud service provider need a financial services authorization or license to provide cloud services?

No.

10. Is express consent from customers or other data subjects required before moving data to the cloud?

For new customers, additional consent specifically for the use of cloud services providers is likely not required. It would be sufficient in most cases to provide the necessary disclosures within an applicable privacy policy relating to the use of third-party service providers located outside Canada (if applicable).

For existing customers, if the information is being used for the purpose it was originally collected, consent is not required. However, before transferring personal information to cloud service providers overseas, organizations need to inform the data subject that their personal information may be processed in a country outside of Canada.

11. Are there any local laws that require a cloud service provider to be able to access the data it hosts?

No.

12. Are there any local laws that would require a cloud service provider to disclose the data it hosts to any third parties in any circumstances (including regulatory or law enforcement authorities)?

Yes. While there are no laws that impose disclosure requirements on cloud service providers specifically, various Canadian law enforcement agencies and/or regulators may have the statutory right to subpoena or otherwise require the production of data and/or records in certain limited circumstances, under the applicable laws.

Quick Links
{{ $store.state.loadingScreen.message }} ...