Demystifying Canadian Data Residency and the Public Cloud
What every company that collects data on Canadians needs to know about Canadian data residency and the public cloud.
Want to get up and running fast in the cloud? We provide cloud and DevOps consulting to startups and small to medium-sized enterprise. Schedule a no-obligation call today.
When it comes time to build your server infrastructure, it is necessary to think about Canadian data residency requirements and how it relates to the public cloud.
This ultimate guide will review the implications of digital transformation and cloud computing and why you should work with us to build your infrastructure in Canadian public cloud data centres.
What is the Public Cloud?
Before we get into data residency requirements and privacy legislation in Canada, let's discuss the public cloud. The term "public cloud" refers to the type of computing that involves storing and running applications on virtual machines hosted in data centres around the world and provided by 3rd parties such as Amazon Web Services, Microsoft Azure, or Google Cloud Platform. We call it "the cloud" because we can open a website console and magically have access to services offering seemingly limitless scalability and near instant deployment of websites or applications to users everywhere. But as a wise coffee mug once said, "there is no cloud, it's just someone else's computer," and where that computer is located matters.
Cloud technology allows organizations to scale their capabilities and share resources in ways that would not otherwise be feasible. However, when you use the public cloud, your data has to pass through the public internet.
One benefit of utilizing the public cloud is that you can quickly transfer resources and data from one region to another. For instance, a government employee working in Alberta can automatically access data stored in a cloud processing center in Québec. Likewise, the backup for the data center may be somewhere else entirely!
When this data transfer happens, your private information will likely leave the country - which can void your data residency efforts. Preventing this requires establishing a dedicated, private network connection from your site to your cloud.
A tool that can help you do just that is AWS Direct Connect.
AWS – Amazon Web Services – is one of the most popular and broadly adopted cloud computing platforms. Millions of customers and organizations use AWS to reduce their infrastructure costs, speed up innovation, and boost agility. Other popular cloud platforms include Azure and GCP.
Other important considerations for the public cloud include availability and backups. You want to maximize availability and ensure that your application continues to run, and your data backups should be in a separate location to avoid a complete operational shutdown. This would be easier for Canadians in AWS if we had more than one region, but currently Montreal is the only one.
However, you can still maintain data residency while achieving high availability using a hybrid cloud model.
Hybrid cloud refers to using a mix of on-premises and cloud infrastructures between your data centre and AWS Montreal.
This protects you from a failure and lets you achieve Canadian data residency – without having to forgo the benefits of a public cloud.
Canadian Privacy Laws
As technology continues to evolve and more organizations rely on cloud computing, the Canadian government has enacted laws that protect client data and address cross-border data privacy. The first of these laws was issued in 2018 to create the framework for directives aimed to regulate cloud operations.
Here are some of the various Canadian privacy laws that intersect with data residency:
The Personal Information Protection and Electronic Documents Act, or PIPEDA for short, sets Canadian data privacy laws apart from those found in other countries. It ensures that data storage providers follow best practices for personally identifiable information and other sensitive data to protect consumers.
Under this legislation, organizations are held accountable for protecting information in transit and when outsourced for data processing. This means that if their cloud servers require data to cross international borders, they are liable for any problems should they arise.
We can break down the PIPEDA compliance checklist into three pillars:
- comparable levels of protection
Any time you transfer information for processing, you can only use it for the original purpose for which you collected it. For example, if you obtained the data for marketing purposes, that is the only thing for which you may use it.
The transparency aspect of these online privacy laws requires companies to share their practices for handling personal information with their customers. All consumers must be informed if their data will be sent somewhere else for processing. You must also notify them that Canadian law enforcement may access the information even if it moves to another jurisdiction.
Another facet of PIPEDA compliance involves comparable protection levels, which means that if you move data to a third-party processor, they must provide equivalent security. In other words, you must ensure the organization you transfer data to will offer the same level of security as it would have if it stayed within a Canadian company.
When it comes to Canadian digital laws, Alberta has some of the most comprehensive legislation. The Personal Information Protection Act, or PIPA, is the only private sector regulation that defines the requirements for the transfer of personal information outside of Canada.
Alberta privacy laws require that any organization that plans to transfer data outside of the country give prior notice to those individuals. This notice must describe the procedures in place to manage the transfer and a way to contact them to answer additional questions.
Alberta established this law to address cross-border outsourcing arrangements, but not for simple disclosures of personal information to another country. The goal is to restrict the transfer of public sector data outside of Canada.
Ontario Privacy Laws
In Ontario, you cannot disclose healthcare information without the individual's express consent. The PHIPA enforces this requirement, and it stands for the Personal Health and Information Protection Act.
Data can leave Canada, but organizations that allow this must adhere to the PHIPA regulations. This requirement can make things complicated!
Implications of Hosting Canadian Data in the U.S.
Just because Canada's data privacy laws create rules that you must follow for collecting, storing, and processing customer information does not mean that you cannot store this data in the U.S. However, if you choose to do so, you must be aware of many implications.
The key here is that under the Personal Information Protection and Electronic Documents Act, your organization will be responsible for protecting the information under every outsourcing arrangement. You can move the data across the border - but you are required to do your due diligence to ensure that the third party receiving the information will offer comparable levels of protection as provided by PIPEDA.
If you can't guarantee that the third party will secure the data in a way that meets all standards, you put your organization at risk of noncompliance.
There are other risks to consider as well, including the U.S. Patriot Act. This legislation allows the U.S. government to access and perform surveillance on information stored within the country. This access would violate Canada's personal information protection act - which prevents data from being improperly disclosed.
Specifically, the Patriot Act allows government officials to legally access information, block you from your data, and monitor communications simply by deeming your activity suspicious.
Many countries have adopted specific data residency laws for this reason. Carelessly moving information across borders could leave your sensitive data exposed to foreign intrusion.
If you still intend to send private data across the border, you need to establish procedures to notify your clients about how their information will be handled. You are required to disclose that it is being sent to another jurisdiction and the implications.
You should also think about what sending data to the public cloud means in terms of cybersecurity. Will you have a backup in place if there is a data breach or major outage?
All these factors should play a role when you consider hosting your data servers remotely in the U.S.
What Kinds of Data Should I Keep in Canada?
As you may have guessed by now, certain types of data should be kept in Canada. Health and financial data are some of the most sensitive and highly regulated types you may handle.
If you - and most importantly, your data - stay within the country's borders, you will be protected by the Privacy Act and other federal, provincial, and territorial privacy legislation. It doesn't matter if your server is on the cloud or physically located on your property. As long as the data center is in Canada, this applies.
Remember, once you start outsourcing your information processing to third parties across the border, you leave yourself open to data seizure or surveillance by other international security agencies. Similarly, your data won't likely not have any rights under other countries' privacy laws because you're not a resident there.
That means that it's best to keep things like personal health information, financial data, and valuable intellectual property in Canada.
If your organization resides in Québec or Alberta, you are restricted from transferring public sector personal data outside of the country. In some cases, you might even be required to keep it in the province!
Nova Scotia and B.C. privacy laws prohibit Crown agents and government institutions from moving any personal information outside of Canada.
Although there are a few exceptions to these regulations, putting the framework in place to follow all PIPEDA requirements can be costly and time-consuming. It is better to work with an AWS system that already appears these rules for this type of data!
Keeping certain types of data in Canada is also crucial to your customers. Almost 70% of Canadians reported that they worry about their data privacy and security when stored in the U.S. In other words, where you host your website matters quite a bit to Canadians!
What Are Some Additional Reasons I Should Keep My Data In Canadian Data Centres?
Let's breakdown some additional reasons that your secured data should remain in Canada: improved privacy and enhanced performance.
By hosting your website, databases, and cloud servers in Canada, you will have better control over private information. As long as the server is within the borders, it will receive all of the Canadian legal system's protections.
On the other hand, if you host your website in the United States, you will be subject to their regulations and laws – like the Patriot Act – even if you are a Canadian resident.
The Canadian data protection authority allows for better privacy since our legislation is much more robust. The PIPEDA Compliance checklist was designed to protect personal and sensitive information, so it will be easier to assure your customers that their data is safe if it stays in Canada.
Keeping health, financial, and other sensitive information within the nation can also enhance your website's performance. Online data travels fast, but the distance between your customers' computer and the host server will always make a difference.
Customers today have very little patience when it comes to waiting for a webpage to load, so your website needs to have the tools in place to optimize performance. If most of your user base is Canadian, building your servers and other infrastructure in Canada will cut down on your site's load time and boost overall performance.
If your servers are hosted in the U.S., it can increase your risk of lag and slow down your website's load time.
The Best Option for Keeping Data in Canada
So, what are the best options for keeping your business-critical and valuable customer data in Canada?
The best solution is to hire our experts at Pilotcore to help you implement your cloud-based infrastructure, storage, compute, and data collection and processing systems.
We have extensive experience partnering with organizations subject to PIPEDA compliance, and protecting the private data of Canadians is our top priority. We can help your organization meet data residency requirements in Canada and partner with you to build your infrastructure in AWS's Canadian regions like Montreal and soon, Calgary.
You can also choose to build your data centres in Google Cloud's Montreal region or Azure's Canada East and central regions. Google Cloud will also have a new Toronto region soon!
Our team will also help you lay a solid foundation of cybersecurity to prevent data breaches and implement best practices for data management and development.
Pilotcore understands the unique needs of Canadian companies. Check out our services to learn more about how we can help you make the most out of the public cloud while keeping your data safe.