What the USMCA Means For Canadian Data Sovereignty
Canada, and Montreal in particular, has a booming data center industry. Its rapid growth is in large part driven by Canadian and regional data privacy regulations. The Personal Information Protection and Electronic Documents Act (PIPEDA) ensures that data storage providers conform to privacy best practices, differentiating Canada from other countries, including the U.S., that have weaker privacy regulations.
Businesses concerned about customer data privacy choose Canadian data centers for their built-in privacy and the assurance that data will not be moved out of Canada into nations with lax privacy protections.
The United States–Mexico–Canada Agreement (USMCA) complicates the data sovereignty story by limiting the power of national governments to impose data localization controls. Nevertheless, the Canadian government remains committed to data privacy. PIPEDA applies more than ever, and the Office Of The Privacy Commissioner of Canada has made it clear that individuals must consent before data is moved to third-party data centers, including data centers in other countries.
Most concerning issues about online usage according to internet users in the United States as of May 2017
More statistics at Statista
At the heart of PIPEDA are 10 fair information principles that describe how companies based in Canada should treat private data. The “identifying purposes” principle mandates that the purpose for which data is identified at the time of collection. The “safeguards principle” states that information should be protected by appropriate security. The “consent principle” insists that individuals should consent before personal information is collected, used, or disclosed.
Ignoring these principles as described in PIPEDA opens businesses to fines and legal action.
Moving data without permission to a data center with weak privacy protections would breach the letter and the spirit of PIPEDA. But the USMCA seems to mandate that there should be no limitations on the movement of data across borders to promote open trade.
Does that mean data hosts in Canada are free to move data across borders as they see fit, including into countries without strict privacy protections? Can businesses no longer rely on legal protections to prevent cross-border movement of data?
These questions are answered by two sets of guidelines published by the Office of the Privacy Commissioner of Canada (OPC). The first, “Guidelines for Processing Personal Data Across Borders,” describes the obligations businesses have under PIPEDA when moving data to other countries:
“PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing. However, under PIPEDA, organizations are held accountable for the protection of personal information transfers under each outsourcing arrangement.”
PIPEDA has always allowed organizations to move data across borders, but they must ensure that any third party can offer a comparable level of protection provided by PIPEDA. The law makes Canadian data processors responsible for protecting personal information while it is “in the hands of a third party processor.” If an organization can’t guarantee similar level protection, then it would be unwise to move data across borders.
The second document is the “Consultation on transborder dataflows,” which was published on April 9, 2019, months after USMCA was signed. The most important points made in the consultation document are:
“A company that is disclosing personal information across a border, including for processing, must obtain consent. Individuals must be given the opportunity to exercise their legal right to consent to disclosures across borders, regardless of whether these are transfers for processing or other types of disclosures.”
“Our view, then, is that cross-border data flows are not only matters decided by states (trade agreements and laws) and organizations (commercial agreements); individuals ought to and do, under PIPEDA, have a say in whether their personal information will be disclosed outside Canada.”
In a supplement to the consultation, the OSC further clarified that transfers between organizations, including cross-border transfers, are considered a disclosure of data under PIPEDA and that organizations must seek the consent of individuals before making any disclosure.
The privacy protections provided by PIPEDA are not substantially eroded by the USMCA. Canada remains one of the best jurisdictions for storing hosting private data. To learn more about the benefits Canadian data hosting, download our free white paper, “4 Reasons Why You Should Consider Hosting In Canada”