In recent years, there has been a surge of data privacy breaches which has caused many people to more closely monitor where and how their data is being stored. This has lead many businesses to migrate data to countries that are perceived to have stronger data privacy laws such as Canada. But how do data privacy laws in Canada compare to the United States?
In this article, we’ll provide a brief overview of data privacy in Canada and the United States to understand why more and more businesses are choosing to host data in Canada.
Before we begin, a brief disclaimer:
This article provides a brief overview of Canadian and American data privacy. Data privacy legislation is constantly evolving and the information contained herein may not be applicable to your particular situation when you read this article. No part of this article should be construed as legal advice from ServerMania or the author. Consult your legal counsel for advice specific to your business.
What is Data Privacy?
Data privacy varies greatly depending on the nature of the data being stored and the jurisdiction in which the data is being collected.
Broadly speaking, data privacy is the concept that individuals and businesses should have the right to know which personal information is stored about them, why it is being collected, and how to request this information to be deleted. Data privacy laws outline how businesses should collect consent from users, how data should be securely stored, and what the consequences are for failing to adhere to the law.
The definition of personal information is also context specific, and depends upon the legislation in which it is being applied to. Generally speaking, it includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
- age, name, ID numbers, income, ethnic origin, or blood type;
- opinions, evaluations, comments, social status, or disciplinary actions; and
- employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
Why Does Data Privacy Matter?
Simply put, data privacy is important to businesses because as we have seen evidenced in recent data breaches, consumer trust in businesses is being undermined by poor data privacy practices and governing legislation. These incidents have the potential to destroy a businesses reputation and profits.
We believe that it is important for businesses to act ethically and in the best interests of their customers, and this means respecting the privacy that every individual has and treating personal information as if it were our own. Not only is this the right thing to do, but businesses that embrace this philosophy will be rewarded with customers who trust and respect them. If an individual wants their personal information kept private or to not share something about themselves, a business should respect that decision.
Businesses that spend more time focusing on where data is stored, what data is collected, and how it is stored are placing themselves in a better position to avoid these data breaches from happening within their own organizations.
Data privacy legislation can help guide an organization in how it manages its data, and also has the added benefit of a financial incentive to complying with legislation. Depending on the jurisdiction, there can be significant fines imposed on organizations who carelessly handle customer data, so businesses that comply with legislation can avoid these damaging consequences.
Find more statistics at Statista
Types of Data Privacy Laws
There are several types of data privacy laws, including:
- Tort Law: Also known as “a civil wrong”, a tort is a cause of action that an individual or organization could use for the basis of a lawsuit against another individual or business. For example, Sally works for a bank and is caught snooping through Jane’s bank statements with no valid purpose. Jane could sue Sally based on the “intrusion upon seclusion” tort for a violation of her privacy and receive damages.
Healthcare Privacy: Data privacy laws surrounding healthcare deal with how healthcare providers and organization collect and manage individual health information.
Financial Privacy: Tis area of law is concerned with how banking institutions and related organizations manage personal and business financial data.
Digital Privacy: These laws govern how an organization collects data, what data it can collect, how it is stored, and how customers consent to the data being stored. This is the focus of our summary in this article.
What Laws Govern United States Data Privacy?
In the United States, there is no unifying law governing data privacy generally across the country. Attempts in 2018 to pass data privacy laws after the Equifax data breach were unsuccessful.
There are however some federal laws which have an impact on data privacy across the country. The FTC regulates cyber security at the national level. Other cyber security legislation includes:
- Cybersecurity Act of 2015
- Electronics Communications Privacy Act
- Computer Fraud and Abuse Act
- Economic Espionage Act
Each State is able to pass data privacy legislation to govern data privacy in its locale. The nature of the right to data privacy varies widely between states depending on their particular objectives. Some states such as California have passed dozens of laws relating to data privacy, health information, and financial privacy. While other states may have little or no data privacy laws at all.
What Laws Govern Canadian Data Privacy?
There are several laws which govern data privacy in Canada on both the federal and provincial levels.
The one most applicable to businesses is the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how businesses handle personal information. This law generally applies to:
- All for-profit businesses in Saskatchewan, Manitoba, Ontario, New Brunswick, Newfoundland, and the territories
- The personal information of employees of federally-regulated businesses (banking, aviation, etc.)
Businesses operating entirely within Alberta, British Columbia, or Québec because these provinces have their own legislation which is substantially similar to PIPEDA.
Under PIPEDA, businesses have an obligation to adhere to core principles, including:
- Accountability: Some must be appointed to monitor compliance with PIPEDA.
- Identifying Purposes: The reason for collecting personal information must be identified before or during the time of collection.
- Consent: The knowledge and consent of the individual are required in order to collect personal information.
Limiting Collection Only personal information which is required to be collected shall be collected.
Limiting Use, Disclosure, and Retention: Personal information must only be kept for as long as needed, used for the purpose originally identified, and not disclosed to third parties.
Accuracy: Personal information must remain accurate and up to date.
Safeguards: Information must be protected and kept safe.
Openness: Policies regarding the collection and use of personal information must be readily available and open to the public.
Individual Access: When requested, an individual must be given access to the information collected about them and allowed to correct the record.
Challenging Compliance: An individual can challenge the compliance of an organization through their appointed privacy officer.
The Privacy Act is another piece of legislation which governs how the federal government handles personal information.
Some provinces have passed data privacy laws in relation to health and financial data. For example, Ontario has the Personal Health Information Protection Act and Alberta has the Personal Information Protection Act for employment data.
How do Canadian and U.S. Data Privacy Laws Compare?
As you can see, while progress is being made on a state by state level in the United States, Canadian data privacy laws are much more unified with PIPEDA acting as a unifying federal law, or very similar provincial legislation in some provinces.
This unified approach is better for businesses when storing data because:
- It’s easier for businesses to identify which legislation applies to them and how to comply, especially when dealing with inter-provincial and international trade
- Customers know that data will be handled in a consistent way, rather than relying on the laws of one state
- Data use obligations are well defined and not changing as regularly as for U.S. states
It is for these reasons that we are seeing more and more businesses migrating data from the United States to Canada, and especially in the case of Canadian businesses or businesses dealing with a large amount fo Canadian clients.
If you’re interested in learning more about data privacy laws, take a look at the Office of the Privacy Commissioner's Summary of Privacy Laws in Canada. The office has also prepared a PIPEDA In Brief document. You can also view a listing of every privacy law in each state on Wikipedia.
Which Location is Right For You?
Choosing the right data center location is an important decision that is guided by many factors. Data privacy is just one of those factors, and which location is right for your business depends on:
- Where is your business located?
- Where are your primary customers located?
- What resources do you have to understand data privacy laws?
Each business must consider these factors when choosing a location and we’re here to help you make the decision in any way we can. Consider booking a free expert server consultation and we’ll provide a detailed overview of both our American and Canadian dedicated server locations to help you make an informed decision.