Canadian Law for Online Businesses: Data Sovereignty FAQs

As online businesses become aware of their legal responsibilities in regards to privacy, we’ve received more and more questions about Data Sovereignty. Following are the most frequently asked questions to date.

What is Canadian Data Sovereignty?

All information we collect from Canadians for the purpose of doing business is protected by laws. From payment information to email subscriptions, all business owners must comply with these laws.

Data Sovereignty, from the online business perspective, refers to where that data is physically stored. For websites, it’s data centres and the servers that reside in them.

You (and your data) are protected by the Canadian constitution if your website hosting server is in Canada, either physically or in “the cloud”. If the data centre, server or cloud service is outside of Canada, you may be open to data seizure or mass surveillance by international security agencies. Furthermore, you also won’t be protected by the other country’s privacy laws (such as the American Fourth Amendment) because you’re not a resident. Your data will be like a person without any citizenship.

“Data sovereignty means that digital data is subject to the laws of the country in which it is located,” states CIRA. “Data stored in Canada falls within Canadian privacy laws, as well as data that flows only within our borders. Once your data travels outside of Canada’s borders it is open to the laws of the land. In the U.S., for example, Canadians have no right to privacy.”

It’s much easier to understand if you picture physical customer files in a filing cabinet. If the filing cabinet is here in Canada, it’s protected by Canadian privacy laws. If you move the filing cabinet into (or through) the US or another country, the contents are outside of Canadian jurisdiction and fall under the laws of that country. Therefore, Canadian law says you have to keep that filing cabinet in Canada or notify Canadians that their data isn’t necessarily under Canadian protection.

“With the rise of cloud computing, many countries have passed various laws around control and storage of data, which all reflects measures of data sovereignty,” explains Wikipedia. “More than 100 countries have some sort of data sovereignty laws in place.”

Data sovereignty (or disclosure) is required by the Canadian Privacy Act and PIPEDA (Personal Information Protection and Electronic Documents Act). In addition to federal laws, there are Provincial laws that also restrict the movement of personal data. Laws may also vary according to the type of business you have or what sector it’s in.

How does Data Sovereignty apply to small businesses in Canada?

Data sovereignty laws apply to any size business that collects information from Canadians, online or offline. The information has to be moved and stored within Canada in order to protect Canadians from foreign laws and policies. If not, the business has to inform the consumer before they hand over the information. Eventually, the laws will probably evolve into an absolute, without exemption with disclosure.

Simply put, you are responsible for protecting any and all information collected from Canadians by your company, and you will be held liable and accountable for it. For most small businesses, the main concern is where their website is hosted because that’s where the data is collected and stored.

Does Data Sovereignty apply to email addresses?

Most global privacy laws include email addresses as ‘private information’. While it’s still a bit of a grey area in Canada, intermingling with anti-spam laws and encryption requirements, chances are it will be specifically included at some point.

How do online businesses ensure compliance with Canadian Data Sovereignty laws, now and in the future?

As the laws catch up with digital privacy and data security issues, storing data outside of Canada will become more complicated and enforcement will become standard.

The safest way to ensure data sovereignty compliance, now and in the future, is to choose a website host with data centres physically located on Canadian soil. The host can be in any country, but you must be able to choose Canadian servers. For example, we use GreenGeeks hosting (an American company) but chose their Canadian data centre during the signup process. Conversely, choosing a Canadian web hosting company doesn’t necessarily mean their data centres are in Canada, so it’s important to ask.

[DISCLOSURE: We may receive compensation through links to products on this website.]

Following are a few more hosting companies that are able to provide servers in Canadian data centres, to ensure you’re meeting your legal requirements in regards to data and privacy.

HostUpon (Based in Canada, servers in Canada)

Stormweb Hosting (Based in Canada, servers in Canada)

Shopify Canada Hosting and eCommerce platform (Based in Canada)

Video overview of the 10 fair information principles for all Canadian businesses subject to PIPEDA.

Where can I find official information about Canadian data sovereignty laws?

For the latest and most accurate information, please refer to the following official sources. Note that provincial Acts are often focused on privacy as it applies to health information, which would probably only apply to your business if you’re in a health-related niche.

Canadian Personal Information Protection & Electronic Documents Act (PIPEDA)

Canadian Digital Privacy Act

British Columbia Personal Information Protection Act (PIPA)

Alberta Personal Information Protection Act (PIPA)

Ontario Personal Health Information Protection Act (PHIPA)

New Brunswick Personal Health Information Privacy & Access Act (PHIPAA)

Manitoba Personal Health Information Act (PHIA)

Quebec Privacy Act (QPA)

Do you have any questions about data sovereignty in Canada for online businesses? Please comment below or join us in the Online Business Canada Facebook group.

Disclosure: I am not a lawyer and this article should not be taken as legal advice. The information contained herein is my understanding of the topic at hand at the time of this post.

You may also be interested in reading:

Canadian Law for Online Businesses: Resources and Tools

Recession-Proof Online Businesses to Start from Home book

7 Recession Proof Online Businesses To Start From Home

Expert help to choose, start, and run the business of your dreams!
“Almost 200 pages of pure gold…”



© – Content on this website may not be used elsewhere without expressed permission. Thank you for respecting the effort that we have put into our original content.

DISCLOSURE: We may receive compensation for links to products on this website. As an Amazon Associate, we earn from qualifying purchases. Our content is provided for informational purposes only and does not guarantee results.

COMMENTS ARE MODERATED – Legitimate comments will be published after a short delay. Spam will not be published.

Digital Business & Marketing Manager at Online Business Canada | Website | + posts

Melody McKinnon is an internet entrepreneur with 25 years of experience in a wide range of online business models, backed by a formal business education and enhanced by training and mentorship. She has owned or managed both educational and ecommerce websites. Her book, 7 Recession Proof Online Businesses to Start From Home, is available from all major ebook retailers.

Melody has worked with many businesses & brands in a multitude of capacities. She can often be found on,,, and, as well as other quality digital publications. Her content has earned reference links from highly-respected websites, magazines and university textbooks.

Follow Melody McKinnon on Medium:

Notify of
Inline Feedbacks
View all comments