Did you know you could be in violation of privacy laws, simply by hosting your website on servers that are physically located outside of Canada?
Do you really know where your website and customer data is stored?
If not, you’re in good company. Most Canadian businesses aren’t aware of the legal risks they’re taking by not knowing where their data is stored. They may even think the data is stored in Canada, when in fact it’s somewhere else. As Canadian privacy laws change, it’s more important than ever to know the answers to these questions. The hard truth is, if you store (or move) any kind of customer or visitor data to, or through, servers that are located outside of Canada, you could find yourself in serious trouble.
Why is This a Privacy Issue?
You (and your data) are protected by the Canadian constitution if your hosting server is in Canada, either physically or on “the cloud”. If the data centre, server or cloud service is outside of Canada, you may be open to data seizure or mass surveillance by international security agencies. Furthermore, you also won’t be protected by the other country’s privacy laws (such as the American Fourth Amendment) because you’re not a resident. Your data will be like a person without any citizenship.
“Any information that goes outside of Canada is up for grabs by local law enforcement,” former assistant federal privacy commissioner, Heather Black, told Global News.
To ensure your data is protected by Canadian law against intrusive provisions from the USA Freedom act, sweeping server seizures under the Digital Millennium Copyright Act, the loss of net neutrality, and other foreign laws or policies, your website must be hosted on Canadian soil (see list below). If not, you at least have to inform your customers and visitors that their information may be processed in a foreign country. Under some circumstances, you may be prohibited entirely from moving personal data outside of Canada or your province, with or without consent.
Data sovereignty is required by the Canadian Privacy Act and PIPEDA (Personal Information Protection and Electronic Documents Act). In addition to federal laws, there are Provincial laws that also restrict the movement of personal data. Laws may also vary according to the type of business you have or what sector it’s in.
What it all comes down to is this: you are responsible for protecting any and all information collected from Canadians by your company, and you will be held liable and accountable for it.
As the laws catch up with digital privacy and data security issues, storing data outside of Canada will become more complicated and enforcement will become standard. For example, some privacy changes came into force on November 1st, 2018. The Office of the Privacy Commissioner is also tackling specific scenarios, such as the legal purchase of Cannabis in Canada and how this data may be accessed by other countries, resulting in denial of entry.
Clearly, the safest way to ensure compliance, now and in the future, is to choose a website host with data centres physically located on Canadian soil.
Using a Canadian Hosting Company Doesn’t Mean Your Website is Hosted in Canada
Many “local” and other hosting providers are actually resellers. Quite often the actual host is an outside company that could be located anywhere. Conversely, an American hosting company may have data centres located anywhere in the world, including Canada. Their objective is to have servers in close proximity to their clients’ location to improve speed and efficiency.
For example, we host our websites with GreenGeeks because they came out on top after applying our website hosting checklist. GreenGeeks is an American company. However, during the signup process you are presented with a choice of where you want your website to be hosted; Canada, Europe or the US. We have our websites on their Canadian servers. From a legal perspective, the fact that they’re an American company doesn’t matter. What matters is that any customer or visitor data we gather from Canadians is safely stored on this side of the border.
Ecommerce is a bit more tricky because payments may be processed outside of Canada by credit card providers. However, most data can still be controlled if you use a Canadian eCommerce platform like Shopify.
“If that data is stored in our Canadian infrastructure, it is not being shared,” Loren Padelford, vice-president and GM for Shopify Plus told the Financial Post. “Unless we are provided a court order by an entity that has jurisdiction over Shopify as a Canadian company, we will not be sharing this information with anybody.”
Canadian Data Centres
It’s critical that you ask potential hosts:
- Where exactly their physical servers are.
- Will you be able to choose to host your website on Canadian servers, if they have them.
Following are a few hosting companies that are able to provide Canadian data centres, to ensure you’re meeting your legal requirements in regards to data and privacy.
GreenGeeks (Offices in Canada, Canadian servers available)
HostUpon (Based in Canada, servers in Canada)
Stormweb Hosting (Based in Canada, servers in Canada)
Sibername (Based in Canada, servers in Canada)
Shopify Canada Hosting and eCommerce platform (Based in Canada)
Is your website hosting in compliance with Canadian privacy laws? We urge you to verify the location of your data centres and change hosts if necessary.
✔ You may also be interested in reading:
HTTPS: The Easy Way to Implement SSL on a WordPress Blog
How Small Businesses Can Prevent Ransomware Encryption
Canadian Consumers & Online Retailers are Embracing Digital Wallets
© CanadiansInternet.com – Content on this website (all or in part) may NOT be used elsewhere without expressed permission. Content theft will result in legal action. Thank you for respecting the effort that we have put into our original content. If you would like to have high quality content created for you, please contact our writer directly.
DISCLOSURE: We may receive compensation for links to products on this website.
COMMENTS ARE MODERATED – Legitimate comments will be published after a short delay. Spam will not be published.