Canadian businesses must rethink data residency

It is time for Canadian companies to rethink the concept of data residency.

Opinions on whether Canadian companies should house their data within Canada have varied over the years. From a legal perspective, most privacy laws don’t require data to be housed in Canada. However, the Canadian Privacy Commissioner has a longstanding policy that requires companies to let customers know if their data is housed outside Canada.

The USA PATRIOT Act was introduced in 2001 after the 9/11 attacks. It gave U.S. intelligence and police a broad right to collect electronic information. That resulted in many Canadians insisting that data be housed in Canada to avoid that. Others pointed out that if a U.S. agency really wanted info about a Canadian, they could get it through co-operative treaties and warrants through Canadian authorities. And if a Canadian facility of a U.S. company has the data, the U.S. takes the position that it is an American company and must comply wherever they are located. Another factor is that internet traffic flows through the most efficient route, so it is entirely possible that an email, for example, between two people in Canada might travel through the U.S.

Fast forward to today, a quarter century after 9/11, and we have different issues and different technology. The current U.S. government tends to be more intrusive and bolder than ever when it comes to wanting to get people’s information. U.S. tech companies don’t seem to push back at that. What little privacy protection there is in the U.S. seems to be getting weaker. U.S. data brokers have huge amounts of information on people.

Compared to 25 years ago there are many more Canadian data centers, and most cloud providers will give the option of housing data in Canada.

More services than ever offer end-to-end encryption. If the data is encrypted in transit and at rest, it makes it more difficult for the vendor to release the data when asked. Various countries have tried to require backdoor access to encrypted data, which is a really bad idea.

No doubt more Canadians will not want their info to be housed in the U.S., a factor that businesses should consider.

Data residency best practices

Best practices include:

• House data in Canada wherever possible.
• Encrypt as much as possible.
• Pay attention to the data and privacy policies of all vendors.
• Make sure AI products don’t save your data.

Don’t just take my word for this. See this Wired article saying that even some people in the U.S. don’t want their data in the U.S. “How to Avoid U.S.-Based Digital Services — and Why You Might Want To. Amid growing concerns over Big Tech firms aligning with Trump administration policies, people are starting to move their digital lives to services based overseas. Here’s what you need to know.”

David Canton is a business lawyer and trademark agent at Harrison Pensa with a practice focusing on technology, privacy law, technology companies and intellectual property. Connect with David on LinkedIn, Bluesky, and Twitter.

Image credit: ©typepng – stock.adobe.com