Except for a public-sector law in Nova Scotia, there are no legal requirements to store personal information in Canada. It can be transferred outside the country, and this is true for both the public and private sectors.
I'm frustrated this week because I have a few American clients that are being told by their Canadian clients that they either have to build servers in Canada or forego their contracts. The misinformed clients continue to think that our privacy laws require data localization when this is just not the case.
We do have some guidance on this issue from the Office of the Privacy Commissioner of Canada. The guidance came out in 2009 and it is private sector-focused, but it essentially says there are no laws requiring data localization in Canada. Instead, if an organization does transfer or store personal information outside the country, notice to the individual must be provided and contractual mechanisms need to be in place to adequately protect that information regardless of the geographic location where it ends up.
This guidance from 2009 was looked at again after the conclusion of the Equifax data breach investigation in 2019 and, after consultation with industry, the OPC said that the 2009 guidance is still valid.
So, with this in mind, can we stop saying that Canadian privacy laws force organizations to keep personal information in the country?
On a totally different note, I know it may feel somewhat far away (next June), but planning for the IAPP Canada Symposium 2024 is well underway. If you are thinking of putting yourself forward to speak at the event, you have until 19 Nov. to submit your proposal. The form you need to fill out is