When crossing international borders, there are rules and regulations individuals must adhere to when leaving the country; storing your business’s data outside of Canada is no exception. But do you know what these laws are and how they impact your Canadian business?

Even in the cloud, jurisdiction matters

The Canadian government has laws in place that govern how public and private sector organizations can collect and use personal information and data. For businesses looking to store their data digitally using a web-based document storage and management platform, it’s important to understand how the privacy laws will impact you. For example, did you know that storing client or patient information using a platform like Google Docs or Dropbox might be illegal?

In Nova Scotia under the Personal Information International Disclosure Protection Act, it is generally illegal for public bodies and municipalities to store information outside of Canada. There are exceptions to this rule, namely that consent can be provided by the head of a public body or by the individual in accordance with the processes set out in the Act.

Similar laws are in place in British Columbia. The Freedom of Information and Protection of Privacy Act dictates that personal information in the custody or control of a public body must be stored and accessed only in Canada as stipulated in the Act.

It is for this reason that it is very important to take data residency into consideration when transitioning your Canadian business to a web-based document storage and management platform. Storing information on a web-based platform that is located in another country can have serious implications for your business, and subject you to international privacy laws.

What are the privacy laws in Canada?

The two federal privacy acts enforced in Canada are the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA).   

The Privacy Act governs how the public sector, such as federal government departments and agencies, deal with an individual’s personal information. Under the Privacy Act, individuals have the right to access and request correction of personal information about themselves held by these federal government organizations. Additionally, every province in Canada has its own public sector privacy legislation.

PIPEDA governs how private sector organizations collect, use or disclose personal information with regards to commercial activities. Simply put, under PIPEDA, an organization can’t collect, use or disclose an individual’s personal information without first receiving their consent. PIPEDA also gives the individual the right to access and correct the personal information private sector organizations have collected about them.

However, three provinces have their own privacy laws in place that supersede PIPEDA. Alberta, British Columbia and Quebec have provincial private sector privacy laws that have been declared substantially similar to the federal law, thus the provincial laws apply rather than PIPEDA. But, when it comes to interprovincial or international transfers of personal information, PIPEDA will be applicable over the provincial law.

In addition to the public and private sector privacy laws, several provinces have their own health specific privacy legislation and many are attempting to gain the designation of being substantially similar to PIPEDA. These health specific pieces of legislation govern how individuals can access their personal information and records from health service providers. Health specific privacy legislation in Ontario, New Brunswick, and Newfoundland and Labrador have been deemed substantially similar to PIPEDA.

Why data residency matters

By keeping your data stored on Canadian servers, you are only subject to Canadian privacy laws. If you were to store your data in a cloud platform operated out of the United States for example, then your information would be subject to the US Patriot Act. The US Patriot Act gives government and law enforcement agencies the ability to search data retained by service providers.

According to The Treasury Board of Canada Secretariat, “Under the Act, U.S. officials could access information about citizens of other countries, including Canada, if that information is physically within the United States or accessible electronically. The potential exists, therefore, for law enforcement agencies to obtain information about Canadians whose information might be handled under a contract between the federal government and a U.S.-based company.”

Before bringing your business to the cloud, do your homework. Ask your third party provider questions to make sure they comply with Canadian privacy and data storage laws in your province. Also, be sure to check with your lawyer to verify the privacy laws applicable to your business. By being aware of and understanding privacy laws, you’ll be mitigating risk and keeping your documents and personal information safe and secure in the cloud.

At Docmaster, we have built a product that is compliant with all data laws in Canada. It is a secure, affordable, web-based file storage and management software for small to medium sized businesses in Canada. We’ve taken every measure to ensure your data and client information is protected and secured. No matter where you are accessing your files, be it at home, on the road, or at the office, Canadian privacy regulations are always met when you use Docmaster.


Docmaster offers secure, web-based document management and storage for businesses in Canada. Docmaster makes working, storing and managing your business in the cloud safe, secure and easy. Your privacy guaranteed, so you can focus on what matters most – serving the needs of your clients. Interested in learning more? Email info@docmaster.ca to find a solution for your document management needs.

Comments are closed.