Notes from the IAPP Canada: Canadians' data sovereignty philosophies are shifting

Things are moving at the speed of light these days in our industry. Three months ago, we rarely heard the term "data sovereignty." Today, it's mainstream news.

The reason? Canada has not passed any law or regulation, so this seems to be coming from the grassroots. Canadian businesses and individuals are pressuring U.S.-based companies that want Canadian business to keep our data here and to move their technology, including artificial intelligence tools, north of the border. And it seems to be working.

IBM, for instance, announced this week that it is growing its Canadian operations to reassure Canadians that the technology and data will not leave the country.

At my firm, we use several cloud-based industries to help with our work. For file storage, we've made the conscious decision to use a company that is headquartered in the EU, but that has also set up their technology and data centers in Canada.

Back in 2009, the Office of the Privacy Commissioner of Canada issued its guidance on transborder data flows. I actually played a role in the development of that document. The then commissioner Jennifer Stoddart and her assistant commissioner Elizabeth Denham believed in a world where free trade and the free flow of information was necessary for the world economy at the time. But, in the span of just three months, the world economy has dramatically shifted and many people in Canada, including in our industry, are rethinking some of the general philosophies we had established.

Some of you may have seen my LinkedIn post this week about how Privacy Commissioner of Canada Philippe Dufresne, took time out of his busy schedule to speak to and inspire my privacy law students. And, last term, it was Ontario Commissioner Patricia Kosseim. As the commissioner has done on previous occasions with my students, he left plenty of time and opportunity for the students to ask questions.

Some questions were quite tough, including a pointed one that asked, "might you as commissioner ever make the conclusion that if an organization in Canada allows personal information under its control to be accessed from, or stored in, the U.S., to be a breach of the legal obligations to use all reasonable safeguards to protect the information?"

We follow Chatham House Rules in my class, so I'm not going to give away the answer. Though I will hint that these types of questions are definitely on the minds of our regulators, and they are thinking long and hard about them.

Now, switching gears to a different topic. I've been waiting to announce this given that our various commissioners' schedules this year have been a little uncertain and I haven't been able to figure out exactly who would be at the IAPP Canada Privacy Symposium 2025 in May.

Well, while there is still some uncertainty, we can't wait any longer to plan and announce the Commissioners' Game Show. There may be more, but for certain Commissioner Dufresne and Commissioner Kosseim have agreed, once again, to play along. They'll be playing a privacy-themed game of Taboo — some people know it as Password.

I think it will be quite fun and with this and Rick Mercer in the lineup, I'm sure we will all be able to get a few good laughs at the premiere event for our Canadian privacy industry. Make sure to save your spot early because they are disappearing quickly.

Kris Klein, CIPP/C, CIPM, FIP, is the managing director for Canada for the IAPP.