By: John Slater, Chief Security Officer at ThinkOn
This is the third article in our series on data sovereignty. Each article, authored by a different ThinkOn Thinker, takes a deep dive into a specific topic that underlies data sovereignty: mobility, governance and compliance, public and private sector data requirements, and value to partners and customers. If you missed the first article, “Canadian Sovereign Cloud: Data Security Begins at Home,” by ThinkOn CEO, Craig McLellan, you can find it here. The second article, by Paul West, Director, Global Public Sector, focusses on the value to government and public sector.
Data protection is one of the more pressing issues of our times. Compliance regulations continue to evolve at a rapid pace to keep up with emerging security and sovereignty risks, making it harder for global organizations to keep up. Cloud service providers (CSPs) can help by supplying a framework for data storage and privacy, as well as the expertise and resources that many clients cannot maintain in-house.
It’s important to remember, however, that not all cloud providers are equal partners in data protection, especially in the critical area of sovereignty. While most clients know that data must be kept secure from bad actors, domestic and foreign, many are less informed about third-party partners in the supply chain of the very hyperscalers we trust to safeguard our most precious asset—our data.
A sensitive subject: Who’s controlling our data?
Privacy issues become more critical every day as big tech companies expand their businesses and widen their global reach, exposing our data to foreign governments and third-party supply chains. Public service clients need to know who to trust—and what suppliers are doing with our data.
All foreign-owned CSPs use offshore resources to store and manage data. That makes cloud computing a complex and risky business, exposing clients to a framework that doesn’t guarantee security and compliance for those responsible for maintaining sovereignty over our data.
International governments are stepping up their game in response to growing concerns about multi-national companies that don’t play by the rules of the countries where they do business.
An investigation into data compliance landed tech giant Meta in trouble with the European Union. According to a recent article in Fortune, “Ireland’s privacy watchdog has hit Meta with a record-breaking privacy fine of €1.2 billion ($1.3 billion U.S.) over the tech giant’s illegal transfers of European users’ personal data to the United States—and perhaps more importantly, has ordered the company to stop sending any more of that information across the Atlantic.”1
Many nations, including Canada, have strict data sovereignty laws, which protect data privacy as long as that data remains in the country of origin. Once it leaves our digital borders, however, the cloud provider is no longer required to conform to our laws. Since the big three hyperscalers, Amazon, Microsoft, and Google, own 61 per cent of the cloud computing market in Canada2 and 66 per cent worldwide, keeping a close eye on what they do with data is critical.3
Whose compliance is this? Trust and transparency in data privacy
Compliance is the cornerstone of data sovereignty. Following the regulations set out by the governments of the countries where we do business represents a secure and responsible way to manage data in the country of origin. For sovereign cloud providers, this is the gold standard in best practices.
For companies based in the U.S., the rules are different. While they may have local offices in each country where they provide cloud services, as American companies, they are still subject to the U.S. CLOUD Act. This means that data stored on U.S. platforms such as Azure, Google, and AWS could be revealed to the U.S. federal government subject to a warrant or subpoena, regardless of the global location where the data is stored.4
In its Data Law blog, Microsoft states, “The CLOUD Act amends U.S. law to make clear that law enforcement may compel U.S.-based service providers to disclose data that is in their “possession, custody, or control” regardless of where the data is located. …In the first half of 2022, Microsoft received 5,560 legal demands for consumer data from law enforcement in the United States. Of those, 96 warrants sought content data which was stored outside of the United States.”5
Sovereign Acts for a sovereign nation
Data sovereignty is the right to control the collection, ownership, and application of citizens’ data in the country of origin.6 If we wish to maintain sovereignty over our data, we need to demand compliance and transparency from our cloud service providers on how they manage their data supply chain.
“When it comes to citizen data, trust fails when there’s a lack of transparency. Transparency means telling users what’s going on with their personal data: how it’s secured, who can access it and how it’s being used, how to get it back, and what it’s costing them,” said Craig McLellan in a recent article in Canadian Government Executive.7
More countries are starting to create rules around data sovereignty, restricting where data can go and who has jurisdiction. The General Data Protection Regulation (GDPR) in the EU is the strongest privacy and security law in the world, with strict controls over data sovereignty and severe sanctions against those who violate data protection rules, including fines of up to €20 million or four per cent of a data controller’s global annual sales.8
In Canada, the federal government is moving to restrict foreign interference in our data sovereignty and significantly strengthen Canada’s private sector privacy law with the introduction of the Digital Charter Implementation Act in 2022. The Act includes the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act.
“Safety and trust must be the foundation of this new digital economy. By introducing the Digital Charter Implementation Act, 2022, we are ensuring that Canadians can trust when and how their information is being used,” said The Honourable François-Philippe Champagne, Minister of Innovation, Science and Industry.9
The law allows fines up to $25 million CAD or five per cent of a data controller’s global revenue for violations of the Act.
Sovereign clouds safeguard a sovereign nation
Public service organizations have the will and the responsibility to protect Canadian data and demand compliance with our sovereignty laws. The simplest and most effective way to ensure that security and compliance is to keep Canadian data in Canada, managed by Canadians, with no connection to foreign actors or governments.
“It’s about a combination of people and technology in a way that ensures that as a citizen of Canada, using digital government services, you don’t have to worry about inadvertent data loss to foreign services or foreign markets,” said McLellan in a recent podcast. “The data can’t physically leave if there’s no connection out of the country.”10
Simply put, we need to ask, where do the humans reside? Who has access to my data and what are they able to do with it? What is the exposure to foreign interests? If your CSP can’t—or won’t—answer those questions, then it’s time to switch to another cloud provider.
Sovereign nation, sovereign cloud
To ensure compliance with local data privacy and sovereignty laws, more and more organizations are looking to sovereign cloud solutions to protect their sensitive data. Sovereign cloud providers use multi-layered security and access controls to protect data. This prevents unauthorized access and data loss in the face of growing cyberattacks from foreign actors.
Sovereign clouds are operated by domestic cloud providers who provide dedicated cloud storage that complies with local privacy laws. We can respond faster and more efficiently to security threats, data privacy rule changes, and shifts in the political landscape because we are local.
“Checking our data into a foreign-owned cloud provider can feel like the opening to a horror flick,” said McLellan in a recent blog. “Everything seems bright and hopeful at the start, but there’s a pervasive doubt about what’s lurking around the corner, and it just gets worse from there.”
In a digital-first government, there must be transparency around who has access to our data. Anyone the CSP is partnered or affiliated with could have access to sensitive data and may be obligated to hand that information over to a foreign interest. ThinkOn works with a small and carefully selected group of trusted partners. We don’t hide who they are because we’re proud to work with reputable industry leaders.
A sovereign cloud solution, made in Canada
In Canada, ThinkOn’s Canadian Sovereign Cloud is the only approved cloud service provider under the Shared Services Canada framework agreement for secure workload. Our cloud adheres to VMware specifications in addition to our commitment to the federal government. That means we adhere to all data residency requirements with local data centers at the highest standard, with flexible cloud architecture and secure data mobility without egress fees.
We are 100% Canadian-owned. We hire Canadians to manage our Canadian clients’ data, ensuring secure access within our borders. Our customer service is provided by local compliance experts with a full understanding of changing Canadian laws and industry regulations. That’s a solemn commitment to our fellow Canadians, and the best way to ensure the safety of our most precious asset—the data Canadians rely on.
Digital transformation is a must in today’s global world. It’s a huge opportunity to streamline operations, increase efficiencies, and automate ESG. And you shouldn’t have to sacrifice security or compliance to make that happen.
Learn more about data sovereignty in “Securing Canada’s Data Supply Chain Now—and for the Future” by Craig McLellan, ThinkOn’s CEO and founder.
[1] David Meyer. 2023. Fortune. “Facebook owner Meta hit with record $1.3 billion privacy fine and told to stop sending Europeans’ data to U.S.” https://fortune.com/2023/05/22/facebook-meta-1-3-billion-privacy-fine-eu-gdpr-max-schrems/
[2] Felix Richter. 2023. Statista. “Big Three Dominate the Global Cloud Market.” https://www.statista.com/chart/18819/worldwide-market-share-of-leading-cloud-infrastructure-service-providers/
[3] Marija Pandurov. Reviewlution.“20 Statistics on Cloud Computing in Canada & Abroad.” https://reviewlution.ca/resources/cloud-computing-canada/
[4] The U.S. Department of Justice. “The Purpose and Impact of the Cloud Act,” https://www.justice.gov/criminal-oia/page/file/1153466/download
[5] Microsoft. “About our practices and your data.” https://blogs.microsoft.com/datalaw/our-practices/#how-many-enterprise-cloud-impacted
[6] Susan Ariel Aaronson. 2021. Hinrich Foundation. “Data is disruptive: How data sovereignty is challenging data governance.” https://www.hinrichfoundation.com/research/article/digital/data-is-disruptive-how-data-sovereignty-is-challenging-data-governance/
[7] Craig McLellan. 2023. Canadian Government Executive. “Trust and transparency: safeguarding citizen confidence in a digital-first public sector.” https://canadiangovernmentexecutive.ca/trust-and-transparency-safeguarding-citizen-confidence-in-a-digital-first-public-sector/
[8] Council of the European Union. 2022. “Data Protection in the EU.” https://www.consilium.europa.eu/en/policies/data-protection/data-protection-regulation/
[9] Innovation, Science and Economic Development Canada. 2022. “Canadians to benefit from clear rules around the use of personal information and responsible AI development.” https://www.canada.ca/en/innovation-science-economic-development/news/2022/06/new-laws-to-strengthen-canadians-privacy-protection-and-trust-in-the-digital-economy.html
[10] Craig McClellan. 2022. Canadian Government Executive. “The Canadian Cloud Difference.” https://canadiangovernmentexecutive.ca/the-canadian-cloud-difference%EF%BF%BC/