If you are a Canadian business—especially a legal or medical professional—you could be in violation of Canadian privacy laws simply by hosting your website on servers that are physically located outside of Canada?
Do you REALLY know where your website, customer data and emails are stored?
If you’re not sure, you’re not alone.
Many Canadian businesses are unaware of the legal risks they face by not knowing where their website data is stored. They might think their data is in Canada, when it’s actually stored elsewhere. As Canadian privacy laws evolve, it’s crucial to understand the issues. Storing customer or visitor data to servers outside Canada could lead to serious legal trouble.
What is the privacy issue?
Your data is protected by Canadian privacy laws only if it’s stored on servers in Canada.
If the data is on servers outside Canada, it could be subject to seizure or surveillance by foreign security agencies. Additionally, you won’t be protected by the privacy laws of those countries (e.g., the American Fourth Amendment) since you’re not a resident. Your data will be like a person without any citizenship.
Jacques Latour, Chief Technology Officer at CIRA, reminds, “Once your data is transmitted outside Canada’s borders, it is subject to local laws of the country where the data is stored. In the U.S., for example, Canadians have no right to privacy.”
Protect your customer data
To ensure your data is protected by Canadian law and avoid issues with foreign laws or policies, your website should be hosted in Canada. If it’s not, you must inform your customers and visitors that their information may be processed in a foreign country. In some cases, you may be prohibited from moving personal data outside Canada, with or without consent.
Data Sovereignty and PIPEDA
The Canadian Privacy Act and PIPEDA (Personal Information Protection and Electronic Documents Act) require data sovereignty or disclosure. Provincial laws—especially those related to healthcare and education—may also restrict the movement of personal data, and laws can vary depending on your business type or sector (such as medical and legal professionals).
Ultimately, you are responsible for protecting any information collected from Canadians, and you will be held liable and accountable for it.
As digital privacy and data security laws evolve, storing data outside Canada will become more complicated, and enforcement will become standard.
Clearly, the safest way to ensure compliance is to choose a website host with data centres located in Canada.
Using a Canadian hosting company
Even if a hosting company is incorporated in Canada, doesn’t mean it’s servers are located here. The actual host could be located anywhere, and hosting is always cheaper in countries like Indonesia, Turkey or India.
Some companies in the USA (like Microsoft and Amazon) do offer Canadian hosting. Legally, it’s not the company’s nationality that matters but where the data is stored.
Ecommerce can be more complicated, as payments may be processed outside Canada by credit card providers. However, using a Canadian eCommerce platform like Shopify can help keep most data within Canada.
When choosing a host, ask:
- Where their physical servers are located.
- If you can choose to host your website on Canadian servers.
Website hosting companies at least partially in Canada
Here are a few hosting companies with Canadian data centres to help you meet your legal requirements:
- InTouch24-7 Consulting Inc. (Incorporated in BC, Canada, servers in Canada. Verified to purchase .ca Canadian domains.)
- Canadian Internet Registration Authority (CIRA) (Office in Ottawa, servers in Canada)
- HostPapa (Incorporated in Canada, servers in Canada)
- GreenGeeks (Incorporated in California, USA, Canadian servers available)
- Shopify Canadian hosting and eCommerce platform (Based in Canada)
- Microsoft (Regional offices in Canada, Canadian servers available)
Hosting companies definitely NOT in Canada
- GoDaddy is incorporated in the USA, and has data center in the USA, Amsterdam and Singapore. Clients cannot specify server locations because websites are hosted in multiple regions simultaneously.
- Hostgator is incorporated in the USA, and has data center in the USA, India and Singapore. Clients cannot specify server locations because websites are hosted in multiple regions simultaneously.
Is your website hosting in compliance with Canadian privacy laws? Verify the location of your data centres today!