privacy-database

Cloud Storage Privacy Rules Database

Last Updated: Jan 2016

This database is updated frequently and with care, but always check with your local authorities and lawyers.

Most privacy law frameworks are difficult to determine because the rules are spread among many different laws, regulations, legal rulings, and guidance documents. GeoFolder deals with this by applying the most stringent rules of ANY jurisdiction we support to ALL jurisdictions we support.

Please note that in order to comply with Data Residency restrictions, your data needs to be stored in the appropriate Country-Restricted storage within GeoFolder.

Cloud Storage Providers Privacy Law Compliance Comparison Chart

Information pulled from the official websites of each provider. If you know of an inaccuracy, please let us know and we will verify then update this chart.

Cloud Storage Provider Cost per Year Storage Breach Notification Encryption Standards Data Residency Audit Trail Physical Security of Servers Secure Wipe of Deleted Data Password Security Automatic Session Timeout Privacy Standards
GeoFolder $165 1TB YES 256 AES Enforced. FIPS-140-2 Compliant. YES – Enforced YES YES – IBM Datacenters YES, Both Secure and Regular Delete Available. YES, Strong Password AND Multifactor (2FA) Required YES PIPEDA, HIPAA, SOC2, PCI DSS Level 1, CSA, Safe Harbor (now invalid), FISMA and FedRAMP(SM) (pending), FIPS-140-2 , ISO/IEC 27018:2014 (pending).
Microsoft Azure $480 1TB Yes 256 AES Available but not enforced Available but not enforced Available, not default Yes Yes, after 90 days Default strong password, but can make weak. Multifactor optional and additional cost per user. No HIPAA BAA available, ISO/IEC 27018:2014 Certified.
DropBox for Business $204/user x 5 user minimum: $1020 1TB Yes 256 AES Enforced No Yes Yes No. “Permanent Delete” available but is not a secure delete or wipe. May take up to 60 days to take effect. 6 Characters or more, Multifactor Optional No Safe Harbor (now invalid), ISO/IEC 27001 Certified, but NOT HIPAA compliant.
Box.com Business $204/user x3 user minimum: $612 ~1TB Enterprise only 256 AES Enforced No Yes Yes Yes Yes, Enforced Yes SOC 1 (SSAE16) Type II, SOC 2 Type II, SOC 3, compliance with HIPAA and HITECH.
Google Drive $9.99 1TB No 128bit AES Enforced.
Scans your files in order to cross-sell additional Google products.
No Yes Yes No Minimum 8 characters. Multi-Factor Optional No Safe Harbor (now invalid) only. No support for Linux.
Apple iCloud $239.88 1TB Yes 128 bit AES.
Reserves right to scan your files to look for “objectionable” content.
No Yes Yes No Strong Password Enforced, Multifactor optional No Safe Harbor (now invalid) only. Poor Support for for Windows, Android devices. No support for Linux.
Microsoft One Drive for Business $61.20, Includes Office 365 Online 1TB Yes 256 AES.
Reserves right to scan your files to look for “objectionable” content.
No Yes Yes No. Files are not permanently deleted for at least 1 year. Strong Password Enforced. Multifactor optional. No HIPAA, FISMA, Safe Harbor (now invalid). Poor Support for Apple, Android devices. No support for Linux.

Australia

Australia has different Privacy Policy Principles (APPs) at the federal, State and Territorial levels, but with regard to Cloud Storage they all agree on the following. See your local jurisdiction authorities for Privacy Policies that affect other topics.

All States and Territories

Sector Breach Notification Encryption Standards Data Residency Audit Trail Physical Security of Servers Secure Wipe of Deleted Data Strong Password Automatic Session Timeout Security Standards
Government and Healthcare Highly Recommended if Real Risk of Serious Harm, Not Required. Mandatory has been proposed by ALRC. Yes If Exported, must use Contracts and SLA to ensure same level of protection as APPs Yes Yes Yes – “Irretrievable destruction” Yes No “Reasonable Steps”. ISO 31000, ISO/IEC 27000 Series Standards Recommended.
All Other Sectors Highly Recommended if Real Risk of Serious Harm, Not Required. Mandatory has been proposed by ALRC. Yes If Exported, must use Contracts and SLA to ensure same level of protection as APPs Yes Yes Yes – “Irretrievable destruction” Yes No “Reasonable Steps”

Canada

Alberta

Sector Breach Notification Encryption Standards Data Residency Audit Trail Physical Security of Servers Secure Wipe of Deleted Data Strong Password Automatic Session Timeout Security Standards
Political Organizations, Journalists Mandatory if Real Risk of Significant Harm. Yes Not Mentioned Yes Yes Not Mentioned Not Mentioned No “Reasonable” / Commensurate with Sensitivity
All Other Sectors Mandatory if Real Risk of Significant Harm. Yes Yes, Private Data Cannot Fall Under Jurisdiction of Foreign Court Yes Yes Yes Yes No “Reasonable” / Commensurate with Sensitivity

British Columbia

Sector Breach Notification Encryption Standards Data Residency Audit Trail Physical Security of Servers Secure Wipe of Deleted Data Strong Password Automatic Session Timeout Security Standards
Government, Public Bodies Recommended, if Risk of Significant Harm. Yes Yes – BOTH Storage and Access must be in Canada Yes Yes Not Mentioned Yes No “Reasonable” / Commensurate with Sensitivity
All Other Sectors Recommended, if Risk of Significant Harm. Yes Must Disclose if Data Leaves Canada. Yes Yes Yes Yes No “Reasonable Security Arrangments”

Nova Scotia

Sector Breach Notification Encryption Standards Data Residency Audit Trail Physical Security of Servers Secure Wipe of Deleted Data Strong Password Automatic Session Timeout Security Standards
Government, Federal Organizations, Journalists, Public Bodies Recommended, if Risk of Significant Harm. Yes Yes – BOTH Storage and Access must be in Canada Yes Yes Not Mentioned Yes No “Reasonable” / Commensurate with Sensitivity
All Other Sectors Recommended, if Risk of Significant Harm.. Yes Must Disclose if Data Leaves Canada. Yes Yes Implied Yes No Commensurate with Sensitivity

Quebec

Sector Breach Notification Encryption Standards Data Residency Audit Trail Physical Security of Servers Secure Wipe of Deleted Data Strong Password Automatic Session Timeout Security Standards
All Sectors Recommended, if Real Risk of Significant Harm. Mandatory has been proposed. Yes Cannot be exported unless data receives adequate protection Yes Yes Yes Yes No Reasonable

All Other Provinces and Territories

Sector Breach Notification Encryption Standards Data Residency Audit Trail Physical Security of Servers Secure Wipe of Deleted Data Strong Password Automatic Session Timeout Security Standards
All Recommended, if Risk of Significant Harm.. Yes Must Disclose if Data Leaves Canada. Yes Yes Implied Yes – Multi-Factor (ie 2FA) Required for High Risk Transactions and Critical Infrastructure, Recommended everywhere. No Commensurate with Sensitivity

USA

The United States uses a combination of Federal, State, Industry Trade Group and other regulatory organizations to address privacy laws, making it difficult to identify what rules may apply to a particular transaction, putting the US at odds with the EU Directive 95/46/EC on the protection of personal data and other jurisdictions. In response, the EU-US Safe Harbor Privacy Policy Principles were created.

On October 6, 2015, the European Court of Justice issued a judgment declaring as “invalid” the European Commission’s Decision 2000/520/EC of 26 July 2000 “on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce.” Therefore, currently most US based Cloud Storage providers are NOT compliant with EU law.

The principles are “opt-in”, self certified and available only to US Entities. GeoFolder is a Canadian company and so is already under an EU compliant privacy framework (PIPEDA) and thus the EU-US Safe Harbor Principles are not applicable. However, GeoFolder not only meets, it substantially exceeds the security and privacy storage requirements of the US-EU Safe Harbor Principles for Cloud Storage.

In accordance with GeoFolder’s policy of adhering to the most strict privacy regulations, GeoFolder US storage is HIPPA/HITECH/OMNIBUS compliant.

US companies using GeoFolder can certify and maintain HIPPA/HITECH/OMNIBUS and Safe Harbor certification without any restrictions caused by the use of GeoFolder. Please note that the use of GeoFolder itself does not guarantee compliance, only that the cloud storage aspect of privacy rules are met.

All States and Territories

Sector Breach Notification Encryption Standards Data Residency Audit Trail Physical Security of Servers Secure Wipe of Deleted Data Strong Password Automatic Session Timeout Security Standards
HIPPA / HITECH / OMNIBUS Mandatory if “unsecured breach” (ie unencrypted) or there is a significant risk of financial, reputational, or other harm to the individual. Yes – Strong No, but US laws protecting the privacy of US citizens do not apply to data stored or in transit outside of the US. Yes Yes Yes – “Irretrievable destruction” Yes – 2FA implied but not specified Yes “Reasonably safeguard protected information”

European Union

The EU Data Protection Directive applies to all member states. The current members are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom. For the purposes of storage, GeoFolder is a “data processor”. GeoFolder may be considered a “data controller” for the purposes of some optional apps.

The European Commission ha decided that the following countries have “an adequate level of protection for personal data” and allows data to be transferred to them without further restriction: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay. GeoFolder is headquartered in Canada.

All EU Members

Sector Breach Notification Encryption Standards Data Residency Audit Trail Physical Security of Servers Secure Wipe of Deleted Data Strong Password Automatic Session Timeout Security Standards
All Yes, unless data is encrypted. Yes – FIPS 140-2 Recommended Yes – “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data” Implied but not specified. Yes Yes – “Beyond Use” Yes No “Appropriate technical and organisational measures”. ISO 27001 series recommended.

Switzerland

Switzerland is not a member of the EU and has it’s own privacy protection framework.

All Cantons

Sector Breach Notification Encryption Standards Data Residency Audit Trail Physical Security of Servers Secure Wipe of Deleted Data Strong Password Automatic Session Timeout Security Standards
Business Yes, unless data is encrypted. Yes – FIPS 140-2 Recommended Yes – “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data” Implied but not specified. Yes Yes – “Beyond Use” Yes No “Appropriate technical and organisational measures”. ISO 27001 series recommended.

Protect Your Privacy Now

Get One Month Free when you sign up for a year.
A $180 Value for $165!