Keeping watch on where data travels over the internet is relevant to any business that cares what country might have access to its private information. Exactly where data moves and is stored is tied to the concept of data sovereignty, the idea that data is governed by the laws of the country where it\u2019s located.\n\nIf data stays in Canada, local privacy laws apply to personal information. But that control may be lost once data slips outside the border.\n\n[ Lisez la version fran\u00e7aise: \u00ab Ce que tout DSI canadien devrait savoir sur la souverainet\u00e9 des donn\u00e9es \u00bb ]\n\nData sovereignty is creeping up the agenda for CIOs and CISOs around the world as cloud services with loose geographical boundaries become increasingly prevalent. Many countries, particularly in Europe, have implemented stricter rules to try to protect their citizens\u2019 data.\n\nCanada is no exception. Here\u2019s what every Canadian CIO and CISO needs to know about data sovereignty.\n\nCSO guides to privacy rules around the world\n\nData sovereignty in Canada: Federal or provincial jurisdiction matters\n\nHow data is treated in Canada depends on the type of organization and the province where it\u2019s located. The laws are focused on personal information belonging to citizens or consumers.\n\nTwo sets of federal laws apply to data: the Privacy Act, for federal institutions, and the Personal Information Protection and Electronic Documents Act (PIPEDA), for private-sector organizations.\n\nThere\u2019s no rule stipulating the federal government must keep its sensitive data in Canada, but the Directive on Digital Service updated in 2020 says keeping computing facilities within borders should be considered as the first choice.\n\nOttawa acknowledges that even if data resides in Canada, once it\u2019s on the cloud it can be subject to the laws of the cloud service provider\u2019s home country. It argues the technical benefits outweigh the risks even though it means the government can never have full sovereignty over its data. For instance, the Government of Canada does business with both Amazon\u2019s AWS and Microsoft Azure. Both host data in Canada but are based in the US, where they\u2019re subject to the US Foreign Intelligence Service Act.\n\nBut some provinces have stricter rules. Qu\u00e9bec passed legislation in November 2021 that will require organizations to conduct a privacy assessment if they plan to send data outside Qu\u00e9bec, and British Columbia requires public bodies to store personal information inside Canada. That said, British Columbia is considering relaxing its data sovereignty rules to make it easier to use digital services.\n\nA Canadian GDPR? New rules may be around the corner\n\nEver since the EU introduced the GDPR (General Data Protection Regulation), there has been speculation similar rules might come to Canada. The GDPR stipulates that any company anywhere in the world holding personal information of EU residents must apply strict controls over that data\u2019s use and give those residents some authority over that use. The GDPR also says that companies or public bodies cannot move EU residents\u2019 data outside its home jurisdiction unless it\u2019s similarly protected by privacy laws wherever it moves.\n\nCanada introduced legislation in 2021 that would update its data privacy rules to look more like the GDPR, but the bill never came to pass. Politicians are expected to take another crack at it in 2022. Either way, CIOs and CISOs would be wise to look to Europe or Qu\u00e9bec\u2019s newly minted Bill 64 to see what sort of requirements might be in the future.\n\nCompanies must do their homework under PIPEDA\n\nFor now, Canadian CIOs and CISOs must work within the existing frameworks.\n\nThere\u2019s nothing explicit about data sovereignty in PIPEDA, the law that governs how private organizations handle consumer information. But PIPEDA does put the responsibility on companies to safeguard all personal information, regardless of how its stored, against \u201closs, theft, or any unauthorized access, disclosure, copying, use, or modification.\u201d\n\nThat\u2019s a massive undertaking. Cloud vendors, particularly the giant hyperscalers AWS, Microsoft, and Google that have built their own centres in Canadian cities, do extensive work to ensure the security of their operations. But CIOs and CISOs also need to ask the right questions, said Megha Kumar, IDC\u2019s research vice president for software and cloud services. \u201cAs an organization, you need to do your due diligence. The onus just doesn\u2019t fall on cloud providers, it falls on you,\u201d she said.\n\nKumar recommends working with the cloud provider to answer questions such as how data will be treated at rest and in motion, how it will be classified, and what data sets should move to the cloud in the first place.\n\nTaking these extra steps can help build trust with customers. \u201cIt shows that you\u2019re an organization that\u2019s taking the customer\u2019s business seriously, the customer\u2019s information seriously,\u201d she said.\n\nDon\u2019t forget about data in motion\n\nIt\u2019s easier to think about data sovereignty when the information isn\u2019t moving. After all, if data is in a massive, Canadian-owned computing centre in Toronto, it\u2019s clear that Canadian privacy laws would apply. But it becomes more complicated when that data needs to move from point A to point B.\n\nFor example, the path from Toronto to Montr\u00e9al might cross through the United States, depending on how a network is configured. There\u2019s not a lot of visibility on which fibre optic cable a company\u2019s data might travel on at any given time, said Jacques Latour, chief technology and security officer at the Canadian Internet Registry Authority (CIRA). Even if the information is being sent from Canada to Canada, it could flow south of the border. CIOs and CISOs need to understand that when they don\u2019t control traffic, they\u2019re at the mercy of internet service providers as to where their data actually travels, he said. \u201cThere\u2019s no Google Maps for the internet to understand where the traffic flows.\u201d And once data leaves Canada, it could be captured even if it\u2019s encrypted, Latour said.\n\nTo address these concerns, CIRA has supported the development of more than 10 internet exchange points in Canada to enable networks to exchange traffic locally. It\u2019s also building a tool that measures and shows traffic on different paths between networks in Canada.\n\nJust as road traffic matters to trucking companies, where data travels should matter to any business that buys internet transit to offer services to customers, Latour said. It can help them determine how to keep their data safe by deciding what information to send and when.