What every Canadian CIO needs to know about data sovereignty

Keeping watch on where data travels over the internet is relevant to any business that cares what country might have access to its private information. Exactly where data moves and is stored is tied to the concept of data sovereignty, the idea that data is governed by the laws of the country where it’s located.

If data stays in Canada, local privacy laws apply to personal information. But that control may be lost once data slips outside the border.

[ Lisez la version française: « Ce que tout DSI canadien devrait savoir sur la souveraineté des données » ]

Data sovereignty is creeping up the agenda for CIOs and CISOs around the world as cloud services with loose geographical boundaries become increasingly prevalent. Many countries, particularly in Europe, have implemented stricter rules to try to protect their citizens’ data.

Canada is no exception. Here’s what every Canadian CIO and CISO needs to know about data sovereignty.

CSO guides to privacy rules around the world

• How GDPR has inspired a global arms race on privacy regulations
• The EU’s GDPR
• Laws across Asia-Pacific
• Laws in US states
• California’s CPRA
• Laws in Canada
• Australia’s CDR and Australia’s proposed GDPR-inspired privacy law
• New Zealand’s Privacy Act
• The UAE’s data law
• China’s PIPL

Data sovereignty in Canada: Federal or provincial jurisdiction matters

How data is treated in Canada depends on the type of organization and the province where it’s located. The laws are focused on personal information belonging to citizens or consumers.

Two sets of federal laws apply to data: the Privacy Act, for federal institutions, and the Personal Information Protection and Electronic Documents Act (PIPEDA), for private-sector organizations.

There’s no rule stipulating the federal government must keep its sensitive data in Canada, but the Directive on Digital Service updated in 2020 says keeping computing facilities within borders should be considered as the first choice.

Ottawa acknowledges that even if data resides in Canada, once it’s on the cloud it can be subject to the laws of the cloud service provider’s home country. It argues the technical benefits outweigh the risks even though it means the government can never have full sovereignty over its data. For instance, the Government of Canada does business with both Amazon’s AWS and Microsoft Azure. Both host data in Canada but are based in the US, where they’re subject to the US Foreign Intelligence Service Act.

But some provinces have stricter rules. Québec passed legislation in November 2021 that will require organizations to conduct a privacy assessment if they plan to send data outside Québec, and British Columbia requires public bodies to store personal information inside Canada. That said, British Columbia is considering relaxing its data sovereignty rules to make it easier to use digital services.

A Canadian GDPR? New rules may be around the corner

Ever since the EU introduced the GDPR (General Data Protection Regulation), there has been speculation similar rules might come to Canada. The GDPR stipulates that any company anywhere in the world holding personal information of EU residents must apply strict controls over that data’s use and give those residents some authority over that use. The GDPR also says that companies or public bodies cannot move EU residents’ data outside its home jurisdiction unless it’s similarly protected by privacy laws wherever it moves.

Canada introduced legislation in 2021 that would update its data privacy rules to look more like the GDPR, but the bill never came to pass. Politicians are expected to take another crack at it in 2022. Either way, CIOs and CISOs would be wise to look to Europe or Québec’s newly minted Bill 64 to see what sort of requirements might be in the future.

Companies must do their homework under PIPEDA

For now, Canadian CIOs and CISOs must work within the existing frameworks.

There’s nothing explicit about data sovereignty in PIPEDA, the law that governs how private organizations handle consumer information. But PIPEDA does put the responsibility on companies to safeguard all personal information, regardless of how its stored, against “loss, theft, or any unauthorized access, disclosure, copying, use, or modification.”

That’s a massive undertaking. Cloud vendors, particularly the giant hyperscalers AWS, Microsoft, and Google that have built their own centres in Canadian cities, do extensive work to ensure the security of their operations. But CIOs and CISOs also need to ask the right questions, said Megha Kumar, IDC’s research vice president for software and cloud services. “As an organization, you need to do your due diligence. The onus just doesn’t fall on cloud providers, it falls on you,” she said.

Kumar recommends working with the cloud provider to answer questions such as how data will be treated at rest and in motion, how it will be classified, and what data sets should move to the cloud in the first place.

Taking these extra steps can help build trust with customers. “It shows that you’re an organization that’s taking the customer’s business seriously, the customer’s information seriously,” she said.

Don’t forget about data in motion

It’s easier to think about data sovereignty when the information isn’t moving. After all, if data is in a massive, Canadian-owned computing centre in Toronto, it’s clear that Canadian privacy laws would apply. But it becomes more complicated when that data needs to move from point A to point B.

For example, the path from Toronto to Montréal might cross through the United States, depending on how a network is configured. There’s not a lot of visibility on which fibre optic cable a company’s data might travel on at any given time, said Jacques Latour, chief technology and security officer at the Canadian Internet Registry Authority (CIRA). Even if the information is being sent from Canada to Canada, it could flow south of the border. CIOs and CISOs need to understand that when they don’t control traffic, they’re at the mercy of internet service providers as to where their data actually travels, he said. “There’s no Google Maps for the internet to understand where the traffic flows.” And once data leaves Canada, it could be captured even if it’s encrypted, Latour said.

To address these concerns, CIRA has supported the development of more than 10 internet exchange points in Canada to enable networks to exchange traffic locally. It’s also building a tool that measures and shows traffic on different paths between networks in Canada.

Just as road traffic matters to trucking companies, where data travels should matter to any business that buys internet transit to offer services to customers, Latour said. It can help them determine how to keep their data safe by deciding what information to send and when.