There is a lot of data out there. Over 1 billion gigabytes (if you can measure it all). Increasingly dire security incidents and data breaches have shown the importance and difficulty of securing private information. The laws on digital privacy and data security are forever playing catch-up with state of security threats.
Websites and databases are governed by the laws of where the server is located. This concept is known as “Data Sovereignty“.
For your data to be protected by Canadian law against warrantless surveillance under the USA’s Freedom act and/or Patriot Act, sweeping server seizures under the Digital Millennium Copyright Act, the loss of net neutrality, and/or other foreign laws or policies, your website must be hosted on Canadian soil.
Unsurprisingly, Canadians trust websites more if they are hosted in Canada. A 2019 CIRA study found that 64% of Canadians prefer making online purchases from a Canadian retailer. A whooping 75% are comfortable making purchases on a Canadian retail or government site vs only 55% on a U.S. site.
Depending on whether your organization is public or private sector, what province you are in, and what province or country your users are in, different privacy laws may apply or overlap.
PIPEDA, the Personal Information Protection and Electronic Documents Act, protects consumer data across the country. It is built around 10 Fair Information Principles designed to provide a comprehensive framework for protecting privacy when making commercial transactions. Under PIPEDA, information can transfer to 3rd parties (including across borders), but the organization who transfers the data is legally responsible for ensuring its safety and privacy. Principle 1, “Accountability” of the Fair Information Principles spells out these responsibilities for organizations. It is imperative to obtain consent for data collection and then have reasonable safeguards to protect private information before and after transferring it to a 3rd party. Certain sensitive data such as classified information, data having to do with minors, financial records, or medical records, should never be stored outside of Canada under any circumstances.
Provincial privacy laws
PIPEDA applies to most federal public sector organizations. Canadian private sector 0rganizations who are interacting with other users in Canada are often are covered by a provincial privacy law that supersedes PIPEDA.
Alberta, British Columbia and Quebec have their own private-sector privacy laws that have been deemed substantially similar to PIPEDA.
Ontario, New Brunswick, Nova Scotia and Newfoundland and Labrador have also adopted substantially similar legislation regarding the collection, use and disclosure of personal health information specifically.
The provincial privacy laws follow the same approach as PIPEDA where companies are required to only store private information for a commercial purpose, to obtain consent from users before doing so, and to responsibly safeguard private information.
Information that crosses borders
All businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA, regardless of the province or territory in which they are based (including provinces with substantially similar legislation).
Considerations for Data Storage and Transfer
If you are thinking of transferring personal information outside your jurisdiction for processing, you must follow PIPEDA’s transfer rules.
What does PIPEDA not apply to?
PIPEDA does not apply to organizations that do not engage in commercial, for-profit activities.
Unless they are engaging in commercial activities that are not central to their mandate and involve personal information, PIPEDA does not generally apply to:
Municipalities, universities, schools, and hospitals are generally covered by provincial laws. PIPEDA may only apply in certain situations. For example, if the organization is engaged in a commercial activity which is outside of its core activity such as, a university selling an alumni list.
Unless the personal information crosses provincial or national borders, PIPEDA does not apply to organizations that operate entirely within:
- British Columbia
These three provinces have general private-sector laws that have been deemed substantially similar to PIPEDA.
All businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA regardless of which province or territory they are based in.