Most companies operating in Canada can store data wherever they want as long as they take measures to secure personal data.
Service providers working with public bodies in BC and Nova Scotia have stricter data sovereignty requirements including storing data in Canada.
Concerns about accessing data through the PATRIOT Act are misplaced because there are broader mechanisms in place for requesting and sharing data between governments and law enforcement agencies that predate the PATRIOT Act.
The PATRIOT Act
The PATRIOT Act was enacted in 2001 and it broadly extended US law enforcement’s powers to access data.
Companies with a presence in the US are subject to the PATRIOT Act regardless of where the data is physically located or where they are headquartered.
Canada offers no protections against the PATRIOT Act and only British Columbia and Nova Scotia have enacted any form of protection against the PATRIOT Act.
Furthermore, Canada, like most countries, has enacted legislation that grants similar powers to Canadian law enforcement agencies and, like most western countries, has agreements in place to share that information with foreign allies.
So, even if your company only operates in Canada and your data resides entirely in Canada, US law enforcement agencies can ask their Canadian counterparts for the data and the Canadian authorities will likely comply.
The main lesson is that if there is reasonable suspicion of criminal wrongdoing, then it doesn’t matter where the data is stored. For typical, non-criminal businesses, locating data in Canada with a Canadian hosting company offers very little additional protection.
Canada’s Patriot Act: PIPEDA
The Personal Information Protection and Electronic Documents Act (PIPEDA) governs how data on Canadians is collected, used and disclosed.
The main obligation for Canadian companies set out by PIPEDA is the requirement that “personal information shall be protected by security safeguards appropriate to the sensitivity of the information.”
You can store data wherever you want, just make sure anything sensitive is encrypted and password protected.
One of the main exceptions to PIPEDA’s protections is law enforcement and national security. That exception extends to sharing data with foreign bodies.
The Office of the Privacy Commissioner of Canada made this clear in a submission to the Office of the Information and Privacy Commissioner for British Columbia titled Transferring Personal Information about Canadians Across Borders–Implications of the USA PATRIOT Act.
“Canadian law often permits government agencies to share personal information that is held in Canada (by government or the private sector) with foreign governments and organizations, even without the consent of the individual to whom the information relates.”
Canada has signed a number of Mutual Legal Assistance Treaties with countries like the US and the UK that provide mechanisms for requesting evidence.
The Department of Justice then needs to apply for a search warrant before obtaining the information and then sharing it with the body that made the request.
British Columbia and Nova Scotia have enacted laws that govern records held by public bodies that apply to service providers working with public bodies. Both laws require that data be stored in Canada.
Freedom of Information and Protection of Privacy Act (BC)
The Freedom of Information and Protection of Privacy Act (FOIPPA) regulates access to records held by public bodies and privacy standards for such records in the province of British Columbia (BC).
Many of the privacy-related sections of the act apply to “officers of the Legislature, their employees and, in relation to their service providers, the employees and associates of those service providers, as if the officers and their offices were public bodies.”
That means that if you provide services for a public body in BC, then FOIPPA may apply to you.
Sections that apply include the data sovereignty provisions of FOIPPA which require that data collected by public bodies in BC be stored in Canada.
In addition to storing the data in Canada, organizations subject to FOIPPA are required to report foreign demand for disclosure to the minister responsible for FOIPPA.
This means that companies subject to the Patriot Act would be compelled to give requested data to US authorities and report the transaction to BC authorities. In practice, US authorities would likely ask Canadian authorities (who are exempted from notification) to share data thus circumventing any FOIPPA protections and responsibilities.
Most of the other applicable sections are related to storing data securely and unauthorized disclosure/access.
The following is the complete list of sections that apply to service providers as listed in the act:
- Section 30: Protection of personal information.
- Section 30.1: Storage and access must be in Canada.
- Section 30.2: Obligation to report foreign demand for disclosure.
- Section 30.3: Whistle-blower protection.
- Section 30.4: Unauthorized disclosure prohibited.
- Section 30.5: Notification of unauthorized disclosure.
- Section 33: Disclosure of personal information.
- Section 33.1: Disclosure inside or outside Canada.
- Section 33.2 Disclosure inside Canada only.
- Section 74.1: Privacy protection offences.
Personal Information International Disclosure Protection Act (NS)
The Personal Information International Protection Act (PIIDPA) applies to personal information collected by public bodies in Nova Scotia.
The act also applies to service providers defined as “an individual or a company that is retained under a contract to perform services for a public body, and in performing those services, uses, discloses, manages, stores or accesses personal information in the custody or under the control of that public body.”
Similar to the BC law, PIIDPA requires data covered under the act be stored in Canada. It also requires that foreign requests for disclosure be reported to the Minister responsible for the act, but specifically exempts foreign law enforcement agencies that request information through federal or provincial agreements.
In addition, it specifically prohibits storing PIIDPA data in portable devices while travelling unless given specific permission.
At the moment, there are very few data sovereignty requirements that apply to Canadian companies. The most common ones are satisfied by basic security practices that you should already be doing.
Keeping your data in Canada over PATRIOT Act concerns is also unnecessary. Most Western countries already had mechanisms in place where Canadian authorities would provide data that resides in Canada. The PATRIOT Act mostly only asserted the US’s right to unilaterally request data from companies with a presence in the US where they already had the bilateral right to do so from companies in Canada.
The only way that you can guarantee that you are made aware of those requests is by running your own data center, when you receive the subpoena for the data, or if you are working with data belonging to public bodies in BC and Nova Scotia, where provincial data sovereignty laws apply.
As with any post on legal topics here, this is an overview of the laws and does not replace proper legal advice in any way.