Government and public service organizations know how important it is to protect the privacy of Canadian data. What they may not know is that some cloud providers make misleading claims about data sovereignty.
At a time when geopolitical tensions are rising, and national security is top of mind, Canadian values like integrity and transparency are more important than ever. When cloud providers claim that storing data in a Canadian data centre is all it takes to ensure sovereignty, you’re not getting the full picture.
Location, Location, Location: When it comes to data, data residency is simply not enough
Storing data in a Canadian data centre is the first step to ensuring Canadian data stays home and under Canadian law, but it’s also just that—a first step.
While data residency (where your data is physically stored) is important, it’s only one part of a larger equation. Just because data is housed in Canada doesn’t mean it’s safe from foreign access, especially when it’s in transit or accessed by third-party contractors.
The difference between data residency and data sovereignty is one of physical location vs. jurisdiction. Claude Mandy, in a recent article for Forbes, explains the distinction: “Data residency outlines the intended geographical storage and processing of data, data sovereignty is about the rights and control over data, based on the jurisdiction of the data storage and processing.” i
Misleading data sovereignty claims put Canadian data at risk
Most major cloud providers, like Amazon, Microsoft, and Google, are US-based companies that rely on foreign third-party contractors to manage data. But even if your data is stored in a Canadian data centre, it may still be subject to foreign laws, including the CLOUD Act, which allows access to your data without your knowledge or consent.
As Canadian organizations increasingly depend on the big three, the risk to data sovereignty grows. When your cloud provider answers to another country’s regulations, your data security isn’t truly in Canadian hands.
The Government of Canada acknowledges the dangers of foreign access and control of our data in their Data Sovereignty and Public Cloud White Paper that explains, “As long as a CSP that operates in Canada is subject to the laws of a foreign country, Canada will not have full sovereignty over its data.” ii
Understanding your CSP’s supply chains is important because when you do business with them you are also doing business with every company and contractor they do business with.
How can you be sure you know who these foreign operators are, how often they change, and if they are subject to Canadian law? If your CSP can’t—or won’t—provide full transparency for every link in their supply chain, you need to look for a more secure solution.
A Tale of Two Countries: Navigating Data Sovereignty and Residency
Sovereign cloud expert Stan Kwong sums up the peril to Canadian organizations working with foreign-owned cloud service providers (CSPs): “The 2018 CLOUD Act allows US federal law enforcement to compel US-based technology companies to provide requested data stored on company servers, regardless of whether the data is stored in the US or on foreign soil.” iii
That means that even when your data is stored in Canada, if you are working with a US cloud provider, they could be compelled to release Canadian data to the US government. Under that scenario, data sovereignty is broken, and whatever promises your CSP has made to protect your data, their legal obligations put them in conflict with that claim.
Canadians’ right to data privacy is irretrievably broken once data leaves our borders, and that jeopardy is doubled by the fact that Canadians have no rights in foreign jurisdictions.
Data sovereignty and Canadian privacy: The real-world threat
As tensions with the US grow, Canadian businesses face increasing risks when relying on foreign-owned cloud platforms. While some “big buy” cloud providers claim to offer data residency within Canada, their operations remain subject to US laws like the CLOUD Act.
The risks go beyond privacy. According to Graham Dobson, senior economist with the Dais think tank at Toronto Metropolitan University, in a recent Globe and Mail article, “Having a foreign supply of cloud compute puts our economic sovereignty at major risk…. From a data sovereignty perspective, that poses a far worse national security concern.” iv
The Globe article goes on to warn that “The potential consequences are severe. Experts warn that the US could impose export controls on critical AI infrastructure or even direct cloud providers to cut off Canadian clients, disrupting businesses nationwide. Barry Sookman, senior counsel at McCarthy Tétrault LLP, has suggested legal safeguards to prevent foreign influence over Canadian data, but so far, little has been done.”
Even the Treasury Board of Canada Secretariat acknowledges the risk, stating that when data is stored in the cloud under foreign control, “Canada cannot ensure full sovereignty over its data” v
ThinkOn: Canada’s only true sovereign cloud solution
ThinkOn CEO, Craig McLellan, stresses the importance of the country taking notice. “Everyone has woken up. People are realizing that as long as that data is residing on a cloud infrastructure owned by an American company, they really aren’t safe.” vi
ThinkOn is 100% Canadian-owned and operated, ensuring complete transparency across our supply chain. Our high-security clearance standards guarantee that all personnel handling customer data are vetted within Canada.
ThinkOn Sovereign Cloud is a truly Canadian solution, keeping data residency, governance, and compliance within our borders. We provide full traceability and supply chain management, meeting the highest Canadian regulatory standards.
Unlike foreign-owned providers, we never allow third-party access to our Canadian data supply chain. Built to handle PBMM data and backed by our VMware Sovereign Cloud designation, ThinkOn delivers a secure, sovereign framework you can trust.
Because your Canadian data deserves a sovereign solution.
Is your cloud provider making claims that don’t add up? Learn more in our ebook, Debunking the 7 Common hyperscaler cloud claims for public sector.
1. Forbes. 2023. Claude Mandy. “The Future Of Data Security: Data Residency, Sovereignty And Localization Are All Here To Stay.” https://www.forbes.com/sites/forbestechcouncil/2023/07/19/the-future-of-data-security-data-residency-sovereignty-and-localization-are-all-here-to-stay/?sh=2bbbcd9ea1a5
2. Government of Canada White Paper. “Data Sovereignty and Public Cloud.” https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/gc-white-paper-data-sovereignty-public-cloud.html
3. VMware. Stan Kwong. “How Data Privacy and Sovereignty Impact Business.” https://blogs.vmware.com/cloud/2022/08/04/how-data-privacy-and-sovereignty-impact-business/
4. Security Week. 2023. Ionut Arghire. https://www.securityweek.com/canadian-military-police-impacted-by-data-breach-at-moving-companies/
5. The Globe and Mail. Joe Castalo. “Changing U.S. relationship has thrust Canada’s data sovereignty into the spotlight”
https://www.theglobeandmail.com/business/article-changing-us-relationship-has-thrust-canadas-data-sovereignty-into-the/
6. The Globe and Mail. Joe Castalo. “Changing U.S. relationship has thrust Canada’s data sovereignty into the spotlight”
7. The Globe and Mail. Joe Castalo. “Changing U.S. relationship has thrust Canada’s data sovereignty into the spotlight”
https://www.theglobeandmail.com/business/article-changing-us-relationship-has-thrust-canadas-data-sovereignty-into-the/