Personal Information Protection and Electronic Documents Act
Canada’s Federal Private Sector Privacy Legislation
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal law that applies to the collection, use, and disclosure of personal information in the course of commercial activities in all Canadian provinces as supplemented by substantially similar provincial privacy laws in Alberta, British Columbia and Québec. PIPEDA also applies to international and interprovincial transfers of personal information. As AWS does not have visibility into or knowledge of what customers are uploading onto its network, including whether or not that data is deemed subject to PIPEDA regulations, customers are responsible for their own PIPEDA compliance.
The AWS Canada (Central) Region is currently available for multiple services, including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), and Amazon Relational Database Service (Amazon RDS). For a complete list of AWS Regions and services, visit the Global Infrastructure page. Canada Region pricing is available on the detail page of each service, which you can find through our products & services page.
AWS data centers are built around the world in geographically-isolated clusters, which we refer to as “Regions.” Customers can choose which of the sixteen AWS Regions around the globe they wish to use, including Regions in the U.S., Australia, Brazil, Canada, China, Germany, India, Ireland, Japan, Korea, Singapore, and the UK.
What is the customer's role in securing their customer content?
AWS offers a broad set of global compute, storage, database, analytics, application, and deployment services that help organizations move faster, lower IT costs, and scale applications. By utilizing the AWS Shared Responsibility Model, AWS customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter.
When evaluating the security of a cloud solution, it is important for customers to understand and distinguish between:
• Security measures that AWS implements and operates - "security of the cloud"
• Security measures that customers implement and operate, related to the security of their customer content and applications that make use of AWS services - "security in the cloud"
For a complete list of all the security measures built into our core AWS cloud infrastructure, platforms and services, please read our Overview of Security Processes Whitepaper.
How do customers maintain ownership and control of customer content?
Maintaining customer trust is an ongoing commitment, we strive to inform customers of the privacy and data security policies, practices and technologies we’ve put in place. These commitments include:
Ownership and Control of customer content:
Access: Customers maintain full control of their content and responsibility for configuring access to AWS services and resources. We provide an advanced set of access, encryption, and logging features to help you do this effectively (such as AWS CloudTrail). We provide APIs for you to configure access control permissions for any of the services you develop or deploy in an AWS environment. We do not access or use your content for any purpose without your consent.
Storage: Customers choose the region(s) in which their customer content will be stored. We will not move or replicate customer content outside of the customer’s chosen region(s) without the customer’s consent.
Security: Customers choose how their customer content is secured. We offer our customers strong encryption for customer content in transit and at rest, and we provide customers with the option to manage their own encryption keys.
Disclosure of customer content: We do not disclose customer content unless we’re required to do so to comply with the law or a valid and binding order of a governmental or regulatory body. Unless prohibited from doing so or there is clear indication of illegal conduct in connection with the use of Amazon products or services, Amazon notifies customers before disclosing customer content so they can seek protection from disclosure.
For best practices on how to build a set of security policies and processes for your organization, refer to the AWS Security Best Practices whitepaper.
What third party audits validate AWS' security control environment?
When using AWS, organizations can rely on AWS’ certification with robust security standards, such as ISO 27001, ISO 27018, SOC 1,2, and 3 and PCI DSS Level 1. AWS customers can use familiar measures to protect their data, such as encryption and strong passwords, in addition to AWS security features like AWS Identity and Access Management.
Can customers use AWS and comply with Canadian PIPEDA laws?
AWS customers have granular control over their data they store in the AWS cloud. AWS can assist customers directly with teams of Solutions Architects, Account Managers, Consultants, Trainers and other staff in Canada who are expertly trained on cloud security and compliance to assist AWS customers in achieving high levels of security and compliance, including those customers subject to the PIPEDA regulations.
For more information on using AWS under PIPEDA we encourage you to reach out to your privacy counsel.