Canada and Data Sovereignty for Compliance

Did you know that certain industries are required to retain all their data within Canada due to Data Sovereignty ?

First thing’s first: what does Data Sovereignty mean, exactly? Data sovereignty is the notion that data and digital information is protected by the laws of the country it is physically stored in. For obvious reasons, this issue has become a hot topic for cloud providers and their customers, since businesses and people relying on cloud technology need assurance that their confidential data will stay that way. In order to assure cloud users that their data is in fact protected by data sovereignty laws, providers must maintain absolute transparency with them.

In Canada, as with other countries, providers must abide by specific rules determined by the host government if they want declare their data protected. Early in 2015, the Canadian government polled industry professionals to weigh in on whether the following strategies were viable in preserving data sovereignty¹:

  • All domestic data traffic should be routed exclusively through Canada
  • All databases in which data is stored on servers are located in Canada

There can be no connections between Canadian data centres and third-party data centres located outside Canadian borders, and there can be no available routes of legal entry to the data from an outside source

  • Data must be encrypted and all encryption keys must be held by Canada
  • Canadian data must be physically segregated as part of the design solution

In simpler terms, data must be held exclusively by a Canadian provider, transferred over a Canadian network, and housed in a Canadian data centre.

The inability of these industries to follow new laws added to PIPEDA on Oct 1, 2016 can net a fine of up to Can$10,000 is available on summary conviction, with a fine of up to Can$100,000 available on indictment for any of the following:

Violation of the provisions related to the retention of information subject to an access request.

Retaliating against an employee for:

  • co-operating with the commissioner;
  1. refusing to violate PIPEDA; or
  2. complying in good faith with the legislative requirements.
  • Obstructing the Commissioner in the investigation of a complaint or audit.

The Federal Court can order an organisation to:

  • Correct its practices.
  • Publish a corrective notice.
  • Pay damages to a complainant, including damages for humiliation.



Like this article?

Share on facebook
Share on Facebook
Share on twitter
Share on Twitter
Share on linkedin
Share on Linkdin
Share on pinterest
Share on Pinterest