Why Canadian?
Data Sovereignty and Canada’s Strong Privacy Laws
The privacy of your data is governed by the laws of where the server is located, and the laws of whoever owns and operates that server.
This concept is known as “Data Sovereignty“.
Canada enjoys some of the world’s strongest laws for privacy protection. It is ranked 2nd in the world on the International Privacy Index.
If you are Canadian citizen or organization, then you can have real privacy from these online threats:
- secret, warrant-less mass surveillance via the USA’s PATRIOT act / FREEDOM act / CLOUD act
- data and metadata theft for AI training purposes
- arbitrary disclosure to foreign governments or agencies, with or without notification to you
- metadata theft for marketing and surveillance
- exposure to digital service tariffs and taxes
- server seizures under the Digital Millennium Copyright Act
- the loss of net neutrality
In August 2025, Microsoft revealed that U.S. law takes precedence over Canadian data sovereignty . This confirms that all US owned services and public cloud are subject first to US laws before Canadian laws. They specifically confirmed this in the context of disclosure demands from US government agencies for data stored on Canadian located servers. In order for your data to be protected by Canadian privacy laws, especially when it comes to unauthorized disclosure to US government agencies, all of the following must be true:
- your data (servers), backups and all other infrastructure must be physically located in Canada
- your data is kept on Canadian owned equipment, not on servers owned by a foreign corporation.
- your application service provider (if there is one) is also Canadian entity, e.g. your provider for e-mail, drive, chat, web hosting, etc.
- connections between your users and services are fully protected with strong encryption (TLS)
Additional Risks to your Business Data
The risks above apply not only to website and application data but also to your business data:
- cloud drive and file storage, file sharing
- project management (kanban etc)
- team chat and collaboration
These tools are all subject to the same privacy threats when using foreign owned services, or 3rd party services built on top of foreign-owned clouds.
This is now more problematic than ever because of AI. Your business data is extremely valuable as AI training material, whether stored at rest or being transmitted across the internet (such as in an e-mail or chat message). Most online service providers are rushing to include AI in their products which menas they are sharing your data with 3rd party AI companies. All of the major AI companies have been exposed as having used illegal BitTorrent shadow libraries of pirated content in their training data. They continue to fight the concept of copyright and fair use in court. This conduct does not invite trust in them as custodians of your private data.
This adds risk with the service providers on top of the risk with the cloud providers.
You can protect yourself by choosing Sovereign Canadian cloud providers for your business data, such as Canwork.Cloud .
Additional Risks of Foreign AI Use
The risks also apply to any and all data you use for AI chats or RAG. Nearly all generative AI related work is done by sending your data off to a foreign-owned API endpoint. This often also includes the embedding and training steps of AI, where you index all of your data in AI-readable form. Without care, this will also downgrade the legal and practical protection of your data’s privacy, because it (temporarily) relocates the data’s sovereignty to the a foreign country while processing it.
There is a huge initiative underway to create a Sovereign AI cloud in Canada. Physical location of the AI hardware is only part of the solution though. Canadian AI service vendors will also be required to maintain Sovereignty.
You can protect yourself from exposure to this risk by using Canadian Hosted and Owned AI services, or by using local AI hosting on your own equipment. These methods avoid transferring the data to another country / company.
Improving User Confidence
Unsurprisingly, Canadians trust websites more if they are hosted in Canada. A 2019 CIRA study found that 64% of Canadians prefer making online purchases from a Canadian retailer. A whooping 75% are comfortable making purchases on a Canadian retail or government site vs only 55% on a U.S. site.
Avoid Exposure to Tariffs and Taxes
As the trade war between Canada and the USA escalates, there is the possibility of taxes or tariffs being added to cloud services. A Digital Services Tax on US cloud vendors, designed to recoup lost tax revenue, was scrapped in June 2025 during trade negotiations. Any forthcoming taxes or tariffs on US cloud services will result in pricing hikes to Canadian customers.
Canadian consumers are choosing more and more to repatriate their data from US-owned services, choosing instead to Buy Canadian.
Meeting Canadian Compliance Regulations
Depending on whether your organization is public or private sector, what province you are in, and what province or country your users are in, different privacy laws may apply or overlap for you. All of these privacy regulations stress responsible collection, use, and disposal of Personally Identifiable Information.
PIPEDA
PIPEDA, the Personal Information Protection and Electronic Documents Act, protects consumer data across the country. It is built around 10 Fair Information Principles designed to provide a comprehensive framework for protecting privacy when making commercial transactions. Under PIPEDA, information can transfer to 3rd parties (including across borders), but the organization who transfers the data is legally responsible for ensuring its safety and privacy. Principle 1, “Accountability” of the Fair Information Principles spells out these responsibilities for organizations. It is imperative to obtain consent for data collection and then have reasonable safeguards to protect private information before and after transferring it to a 3rd party. Certain sensitive data such as classified information, data having to do with minors, financial records, or medical records, should never be stored outside of Canada under any circumstances.
Provincial privacy laws
PIPEDA applies to most federal public sector organizations. Canadian private sector Organizations who are interacting with other users in Canada are often are covered by a provincial privacy law that supersedes PIPEDA.
Alberta, British Columbia and Quebec have their own private-sector privacy laws that have been deemed substantially similar to PIPEDA.
Ontario, New Brunswick, Nova Scotia and Newfoundland and Labrador have also adopted substantially similar legislation regarding the collection, use and disclosure of personal health information specifically.
The provincial privacy laws follow the same approach as PIPEDA where companies are required to only store private information for a commercial purpose, to obtain consent from users before doing so, and to responsibly safeguard private information.
Information that crosses borders
All businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA, regardless of the province or territory in which they are based (including provinces with substantially similar legislation).
Considerations for Data Storage and Transfer
If you are thinking of transferring personal information outside your jurisdiction for processing, you must follow PIPEDA’s transfer rules.
What does PIPEDA not apply to?
PIPEDA does not apply to organizations that do not engage in commercial, for-profit activities.
Unless they are engaging in commercial activities that are not central to their mandate and involve personal information, PIPEDA does not generally apply to:
- not-for-profit and charity groups
- political parties and associations.
Municipalities, universities, schools, and hospitals are generally covered by provincial laws. PIPEDA may only apply in certain situations. For example, if the organization is engaged in a commercial activity which is outside of its core activity such as, a university selling an alumni list.
Unless the personal information crosses provincial or national borders, PIPEDA does not apply to organizations that operate entirely within:
- Alberta
- British Columbia
- Quebec.
These three provinces have general private-sector laws that have been deemed substantially similar to PIPEDA.
All businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA regardless of which province or territory they are based in.
CanTrust’s SOVEREIGN CANADIAN CLOUD
- Built on our own Server hardware with Open Source software
- co-located in Canadian owned Tier 3 and Tier 4 data centers in Vancouver and Toronto
- Your data is private: No sharing with 3rd parties and No AI Training, ever!
- Fully Managed Open Source Software environments with CanWork.Cloud : We install, update, and take care of everything, you just use it.
- Real Human Support: Talk with humans that care, not AI bots.
- Non-Predatory Pricing: Fair, resource-based pricing for large organizations
- Values Aligned: We care about much more than just your privacy. We believe that working together, like minded organizations can unite to make a better world for all.
