What appeared to be a ban on data localization policies was cause for confusion in our business when the USMCA trade deal was announced this past fall. In part, because we know that the question of where internet servers are physically located is becoming increasingly more – not less – important as businesses shift to the cloud.
The Digital Trade section of the USMCA limits requirements placed by the government on where data is stored or transferred. The federal government can’t require that data centers be located in Canada in order to conduct business in this country, for example.
And, on the issue of cross-border data-flows and data localization, it says, “no Party shall prohibit or restrict the cross-border transfer of information, including personal information.” It continues that this does not prevent a party from doing so for a “legitimate public policy objective,” as long as any restriction does not constitute “a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade.”
In other words, the door isn’t closed. Policies could be put in place to restrict data to local jurisdictions for the right reasons.
The agreement is very new, and it’ll take time and some back-and-forth for trade lawyers to establish precedents and work through exactly how these provisions are interpreted. But if data privacy and IT security is a core component of your business, what’s changed? If you’re running a bank or a healthcare institution or are in the pharmaceutical business, for example, it’s hard to imagine that where your data is stored and who has access to it isn’t at the top of the list of your security concerns.
Canada’s digital borders have to be secure; that was true pre-USMCA and it remains true now. Whereas privacy laws fluctuate in some global regions, the protection of personal information remains at the forefront of public policy in Canada where comprehensive federal and provincial privacy legislation that protects information has been created and enforced. A good example is the Personal Information Protection and Electronic Documents Act (PIPEDA), a federal law that sets ground rules for how businesses must handle personal information during commercial activity.
The Canadian government is particularly proactive about privacy legislation, updating regulations in response to evolving markets and technologies. For example, as recently as November 1, 2018, organizations subject to PIPEDA must report data breaches affecting Canadians to the Office of the Privacy Commissioner of Canada, and to affected consumers. These new provisions amend Canada’s Digital Privacy Act, which came into effect in 2015, helping safeguard Canadians against data breaches.
The fact is that business owners want to be confident that their customer and their company data is secure so they can get on with their primary job of driving the business. USMCA or not, Canada’s stable government and strong federal and regional privacy laws continues providing a superior choice for organizations that prioritize data sovereignty.
With green energy, cool climate and low latency connectivity, strong privacy laws and a currency benefit, Montreal offers a data storage ecosystem unmatched in North America. Want to know more? Download our white paper or reach out to ROOT Data Center here.