There is a lot of data out there. Over 1 billion gigabytes (if you can measure it all). As the laws play catch-up with digital privacy and data security, storing outside of Canada will become more and more complicated.
Websites and databases are governed by the laws of where the server is located. For your data to be protected by Canadian Law, your website must be hosted in Canada.
Where the host’s website servers (or data centres) are physically located, doesn’t always come up in conversation. Data is protected by the Canadian constitution if the hosting server is in Canada. If your data centre, (or servers) are outside Canada, your data may be open to seizures or other types of mass surveillance by security companies from other countries.
If it is not, you should at least be informing your customers that their information may be seized by a foreign country. Or, it may be prohibited entirely from leaving Canadian soil, with or without consent.
For your data to be protected by Canadian law against things like the USA Freedom act, sweeping server seizures under the Digital Millennium Copyright Act, the loss of net neutrality, and/or other foreign laws or policies, your website must be hosted on Canadian soil.
In fact, data sovereignty is required by the Canadian Privacy Act and PIPEDA.
Canadians trust websites more if they are hosted in Canada. A 2019 CIRA study found that 64% of Canadians prefer making online purchases from a Canadian retailer. A whooping 75% are comfortable making purchases on a Canadian retail or government site vs only 55% on a U.S. site.
PIPEDA, the Personal Information Protection and Electronic Documents Act protects consumer data across the country. Information can cross borders, and the Canadian business remains liable for any problems. Depending where (what province as they all have different rules), you may be unable to transfer your data outside of Canada.
Provincial privacy laws
Alberta, British Columbia and Quebec have their own private-sector privacy laws that have been deemed substantially similar to PIPEDA. Organizations subject to a substantially similar provincial privacy law are generally exempt from PIPEDA with respect to the collection, use or disclosure of personal information that occurs within that province.
Ontario, New Brunswick, Nova Scotia and Newfoundland and Labrador have also adopted substantially similar legislation regarding the collection, use and disclosure of personal health information.
Information that crosses borders
All businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA, regardless of the province or territory in which they are based (including provinces with substantially similar legislation).
Considerations for Data Storage and Transfer
If you are thinking of transferring personal information outside your jurisdiction for processing, you must follow PIPEDA’s transfer rules.
What does PIPEDA not apply to?
PIPEDA does not apply to organizations that do not engage in commercial, for-profit activities.
Unless they are engaging in commercial activities that are not central to their mandate and involve personal information, PIPEDA does not generally apply to:
Municipalities, universities, schools, and hospitals are generally covered by provincial laws. PIPEDA may only apply in certain situations. For example, if the organization is engaged in a commercial activity which is outside of its core activity such as, a university selling an alumni list.
Unless the personal information crosses provincial or national borders, PIPEDA does not apply to organizations that operate entirely within:
- British Columbia
These three provinces have general private-sector laws that have been deemed substantially similar to PIPEDA.
All businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA regardless of which province or territory they are based in.