Government and public service organizations know how important it is to protect the privacy of Canadian data. What they may not know is that some cloud providers make misleading claims about data sovereignty.
Integrity, transparency, and accuracy in contractual transactions are fundamental to our Canadian values, and when it comes to our national security, we can’t afford to compromise. If your cloud provider claims that storing data in a Canadian data centre is enough to protect its sovereignty, that is simply not true.
Data residency is important, but it’s limited in its scope to protect sensitive data under Canadian law. Where your data is stored is only part of the equation. For example, while stored in Canada, data is protected, but when it is in transit or accessed by foreign contractors it may not be. Is your CSP guaranteeing that your data will stay in Canada, managed only by Canadians? If not, data sovereignty is not assured, no matter where it’s stored—meaning sensitive data could be at risk.
Location, Location, Location: When it comes to data, data residency is simply not enough
Storing data in a Canadian data centre is the first step to ensuring data privacy under Canadian law, but that’s not the whole story.
Data sovereignty refers to both the ownership and operational supply chain location of the data. Data residency, on the other hand, refers only to the geographical location of the data.
The difference between data residency and data sovereignty is one of physical location vs. jurisdiction. Claude Mandy, in an article for Forbes, explains the distinction like this: “Data residency outlines the intended geographical storage and processing of data, data sovereignty is about the rights and control over data based on the jurisdiction of the data storage and processing.”i
Why Hyperscalers Data Sovereignty Claims Put Canadian Data at Risk
Hyperscalers are U.S-based companies, and all of them use third-party foreign contractors to manage data. Any time data is accessed or in transit outside our borders, it could be subject to different rules under the laws of other countries, including the US Cloud Act.
The Government of Canada acknowledges the dangers of foreign access and control of our data in their Data Sovereignty and Public Cloud White Paper that explains, “As long as a CSP that operates in Canada is subject to the laws of a foreign country, Canada will not have full sovereignty over its data.”ii
Understanding your CSP’s supply chains is important because when you do business with them, you are also doing business with every company and contractor they do business with.
How can you be sure you know who these foreign operators are, how often they change, and if they are subject to Canadian law? If your CSP can’t—or won’t—provide full transparency for every link in their supply chain, you need to look for a more secure solution.
A Tale of Two Countries: Navigating Data Sovereignty and Residency
Sovereign cloud expert Stan Kwong sums up the peril to Canadian organizations working with foreign-owned cloud service providers (CSPs). “The 2018 US CLOUD Act allows US federal law enforcement to compel US-based technology companies to provide requested data stored on company servers, regardless of whether the data is stored in the US or on foreign soil.”iii
That means that even when your data is stored in Canada, if you are working with a US cloud provider, they could be compelled to release Canadian data to the US government. Under that scenario, data sovereignty is broken, and whatever promises your CSP has made to protect your data, their legal obligations put them in conflict with that claim.
Canadians’ right to data privacy is irretrievably broken once data leaves our borders, and that jeopardy is doubled by the fact that Canadians have no rights in foreign jurisdictions.
Trust in our supply chain is critical, and it’s not just the money-motivated hackers we need to be concerned with
Cyberattacks come in two basic flavors: profit and chaos. Also known as ransomware and hacktivism.
Hacktivism is a serious threat to Canadian sovereignty and our way of life, as foreign governments seek to interfere in our national economy and erode our rights and freedoms.
Goldy Hyder of the Business Council of Canada confirms the threat of state-sponsored cybercrime to Canadians in a recent article for the Toronto Star. “In virtually every sector and region of our country, Canadian businesses now regularly find themselves in the crosshairs of malicious state actors seeking to advance their national interests in ways that can, and do, undermine Canada’s national security. This should concern all Canadians.”iv
Our approach to Canadian privacy embodies our most dearly held values and prosperity. Data is critical to our infrastructure, food and other essential supply chains, and healthcare. Our safety, security, and way of life depend on our ability to keep data safe from foreign interference.
Data sovereignty and Canadian privacy: The real-world threat
The consequences of breaking Canadian data privacy laws, supply chain attack, or hacktivism can be far-reaching, and no sector is immune.
A recent class action law suit against Canadian laboratory testing giant LifeLabs required the company to pay out millions for failing to protect their customers’ sensitive personal and medical data from cyberattack. “The Class includes approximately 8.6 million persons whose personal information (including provincial health card numbers) was stolen, including approximately 131,957 Class members whose confidential test requisitions or test results were stolen by hackers.”v
Failure to keep Canadian data within our borders resulted in the exposure of Canadians’ most sensitive data, a breach of diligence that cost LifeLabs financially and damaged their reputation.
The Canadian digital landscape is littered with real-world examples of data breaches targeting Canadian institutions, including hospitals, libraries, and government departments at both the federal and municipal level, from the Canada Revenue Agency and Canada Postvi, to city governments and police organizations.vii
Canadian values are distinct, and our privacy laws are designed to uphold those values. We need to ensure that Canadians—and their sensitive data—are governed by Canadians, and not subject to foreign law. A Canadian solution for protecting Canadian data is a mission-critical requirement.
ThinkOn is a 100 percent Canadian-owned and Canadian-operated company, so we have a vested interest in protecting Canadian data and securing our national economy. We provide full transparency about operations in our supply chain and ensure high-security clearance for all personnel in the country of origin for our customers’ data.
Working with a truly Canadian company like ThinkOn ensures that data sovereignty, traceability, and supply chain management are in full compliance with Canadian regulations.
ThinkOn Sovereign Cloud is a true Canadian solution that ensures data residency and governance stay within our borders, protecting data sovereignty, and providing traceability and supply chain management in full compliance with Canadian regulations.
At ThinkOn, we do not allow foreign third-party access in our Canadian data supply chain, so data is secure within a solid sovereign framework, built to handle PBMM data, and backed by our VMware Sovereign Cloud designation.
We are the only true Canadian Sovereign Cloud provider. It doesn’t get any more Canadian than that.
Is your cloud provider making claims that don’t add up? Learn more in our ThinkOn ebook, Debunking the 7 Common hyperscaler cloud claims for public sector.
1. Forbes. 2023. Claude Mandy. “The Future Of Data Security: Data Residency, Sovereignty And Localization Are All Here To Stay.” https://www.forbes.com/sites/forbestechcouncil/2023/07/19/the-future-of-data-security-data-residency-sovereignty-and-localization-are-all-here-to-stay/?sh=2bbbcd9ea1a5
2. Government of Canada White Paper. “Data Sovereignty and Public Cloud.” https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/gc-white-paper-data-sovereignty-public-cloud.html
3. VMware. Stan Kwong. “How Data Privacy and Sovereignty Impact Business.” https://blogs.vmware.com/cloud/2022/08/04/how-data-privacy-and-sovereignty-impact-business/
4. Toronto Star. 2024. Goldy Hyder. “Spy business: Why CSIS and corporate Canada must join forces in the war against cyberattacks.” https://www.thestar.com/business/opinion/spy-business-why-csis-and-corporate-canada-must-join-forces-in-the-war-against-cyberattacks/article_cf48bdfe-becc-11ee-a4c8-cfcc4296c638.html
5. KPMG. 2023. “LifeLabs Privacy Breach Class Action.” https://lifelabssettlement.kpmg.ca/
6. KonBriefing Research. 2023. Bert Kondruss. “https://konbriefing.com/en-topics/cyber-attacks-canada.html
7. Security Week. 2023. Ionut Arghire. https://www.securityweek.com/canadian-military-police-impacted-by-data-breach-at-moving-companies/