These days storing data in the cloud is done on a fairly routine basis. That being said, where the data is physically located has become more of a relevant consideration in recent months due to changes to US law. Different countries have different rules, in this post we explore the case for protecting your clients data privacy when it’s stored in Canada correctly.
Most people are aware that if your data is stored on servers in the United States, laws such as the Patriot Act, PRISM and the newest CLOUD act of 2018 all apply. In effect, they allow US agencies to review your files with minimal effort and while incognito.
The goal of the CLOUD act was designed to help American agencies solve the legal challenges of cross-border data collection and the application of US law in those foreign territories. The result is that this law now enables the US government to legally access data outside the US that is being managed by US companies. In effect, the data is considered under US custody & control. In addition, the same US agencies can enforce a communication ban for US companies to not disclose that the data has been collected. Specifically this legislation seems to have been written to resolve the problem of US agencies not technically having the legal right to sniff data in foreign territories as they have done in the past in Ireland → https://en.wikipedia.org/wiki/Microsoft_Corp._v._United_States
What Does This Mean for Canadians and their privacy ?
Do you know who is in control of your data? This question is becoming increasingly important for Canadians. Sectors such as health and education (especially those in provinces with stricter laws data such as British Columbia) should pay particular attention to the location and availability of confidential customer information.
Some major cloud companies may look like trusted providers if they have data centers in Canada. But placement does not matter if these companies are owned in the United States.
Where your data is stored and who has access to it, the information you need to know. If you choose a service provider, Server Cloud Canada recommends asking the following questions:
- Although the data center is located in Canada, does cloud provider is a Canadian company that understands data sovereignty?
- Can I trust how the shipping provider will handle my data?
- Can I protect my data against unauthorized access or recovery?
- Can I trust that data is always in the host country?
Perhaps the one thing that most everyone can agree on (aside from the particularly sneaky way that the law was approved → https://www.theregister.co.uk/2018/03/23/cloud_act_spending_bill/ ) is that the CLOUD act is one of the most controversial laws passed in the US in recent hostory. Uncertainty about it continues, such as: will this law be applied continuously to circumvent the Data Protection and Privacy Act, especially those in Europe? At this point, it’s not known how the CLOUD Act will stand up to scrutiny under PIPEDA or other Canadian privacy legislation but it’s likely that Canadian agencies will work in tandem with US agencies (in silence) to collect private data in Canada legally.
Alternatively if you use Canadian servers on Canadian soil, owned by a Canadian Company, you are under the jurisdiction of Canada and its laws which generally help you take much better care of your customers privacy in a more reasonable and transparent way.
Canada has provincial and federal laws that apply to cloud storage providers. At the federal level, there are two main laws that apply including:
The Canadian Privacy Act → https://en.wikipedia.org/wiki/Privacy_Act_(Canada)
PIPEDA – Personal Information Protection and Electronic Documents Act → https://en.wikipedia.org/wiki/Personal_Information_Protection_and_Electronic_Documents_Act
Several Canadian provinces also have laws similar to PIPEDA including:
British Columbia: http://www.bclaws.ca/EPLibraries/bclaws_new/document/ID/freeside/00_03063_01