Data residency and compliance with data privacy regulations are all top concerns for Legal Departments which store and transmit the most sensitive data at the heart of a company. Examining the risks posed by newer data privacy laws and untangling the confusing issue of requirements for data residency is necessary to have a complete cybersecurity strategy.
Data Privacy and Protection Laws in Canada
There are a number of data privacy and protection laws in Canada which are applicable at national and provincial levels. Some are sector-dependent, such as the handling of personal information under the Act and health information across provinces. The federal regulation is the Personal Information Protection and Electronic Documents Act (PIPEDA). Quebec (Act Respecting the Protection of Personal Information in the Private Sector, enacted 1994), Alberta (Personal Information Protection Act, enacted 2004), and British Columbia (Personal Information Protection Act, enacted 2004) have their own provincial laws which are considered substantially similar enough to PIPEDA that the provincial laws will apply over PIPEDA in some cases.
In November 2018, PIPEDA was updated with the Digital Privacy Act which included requirements to notify individuals of data breaches and significant financial penalties for a failure to disclose them. The Digital Privacy Act was created in response to major data breaches which took place in Canada and around the world. In May 2018 the General Data Protection Regulation 2016/679 (GDPR) was implemented in the EU to protect the data of EU citizens anywhere it happens to be in the world – including Canada. Canadian companies are liable for significant financial penalties under the GDPR legislation if data is breached and the targeted EU citizens are not notified properly.
With these multiple national and global data privacy regulations, there is a concurrent rise in the risk to Legal Departments. A concrete strategy is required for protecting sensitive data by putting the right safeguards in place and getting rid of legacy software solutions that may not meet regulatory requirements for protecting sensitive data.
Data Residency: Is it Necessary for Security, or an Impediment? to It?
Canada, in contrast to the United States, does not allow access to data stored in the cloud by law enforcement or other government agencies. Additionally, the United States has no data security protections equivalent to PIPEDA at national level. There are regulations which regulate specific subsets of information, such as personal health information in the case of HIPAA, but there is no set of general regulations, at federal level governing data privacy.
Your company’s duty of care under PIPEDA extends to ensuring that data sent to other jurisdictions such as the United States “is afforded a comparable level of protection to that under Canadian Privacy Statutes,” according to Osler’s International Comparative Legal Guide to Data Protection 2018. Service providers to meet any country’s privacy requirements, but their argument is of course biased since they offer cloud computing services based in the United States. It is correct that once data is in the cloud, the location that the server it is stored on does not necessarily matter; it is the protections that the company and the service provider put in place to safeguard data which make a difference.
There is also the consideration of the requirement of companies to notify customers when there is a breach of personal information. American companies are not governed by federal regulations on data protection, and data protection laws vary by state. While most states do have laws governing notification of individuals when their privacy is breached, not all go as far as PIPEDA does. In order to ensure that you are adhering to data privacy regulations in your province, sector, and at the federal level, it is safer to choose a company such as DiliTrust which stores data on servers based in Canada.
The US CLOUD Act: Another Reason forto Choose Canadian Data Residency
In March 2018, the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act amended the Stored Communications Act to give the American government more access to digital files. The CLOUD Act also allows for a streamlined process where foreign governments can request data pertaining to their own citizens. While companies can challenge these requests, it opens up a risk vector for penalties under non-complementary regulations such as the GDPR, which protects individual rights over the rights of law enforcement. Keeping data within Canada can keep it beyond the reach of the CLOUD Act, as long as your company is not US-based.
The Canadian Government Requires In-Country Data Residency for Sensitive Information
The Canadian Government requires that any sensitive government information be stored on servers within Canada or within the boundaries of diplomatic or consular missions. When in transit in a network that is outside of these geographic areas, the data must be encrypted. The government’s reasoning is laid out in its Direction of Electronic Data Residency from the Treasury Board of Canada Secretariat. While the expected national security concerns apply, the government also cites the following as justification for this action:
“When the data physically resides in Canada, it is subject to the protections afforded by Canadian privacy laws and Canada will be better situated to take prompt action, for example, in the event that access to data is compromised.” Direction of Electronic Data Residency, Treasury Board of Canada Secretariat
DiliTrust Governance Exceeds Regulatory Requirements
Legal Departments store and process highly confidential data. It is vital that they employ a secure solution to manage contracts, litigation, intellectual property, and anything else that the legal department may deal with. Storing files in a room, on a hard drive, or even in a standard cloud storage solution such as OneDrive or Google Drive offers insufficient security for sensitive files.
Apart from the ability to streamline your legal department’s operations, DiliTrust Governance is a secure solution that keeps sensitive data within Canadian borders and complies with all relevant regulations, guidelines and best practices for data privacy and security.