The European General Data Protection Regulation, or GDPR, came into effect in May promising fines for non-compliance of €20m or 4% of annual worldwide revenue. Many organizations scrambled to decipher how their application could be impacted by GDPR and what they could do to ensure compliance. A few months later not much has changed. Precedents have still to be set. Nonetheless, questions of sovereignty remain relevant as the dynamic nature of data storage and processing entails a fair amount of ambiguity. To that end, I’ve compiled a quick summary of how GDPR describes data sovereignty and what that means for Canadian businesses.
The GDPR defines the key concept as follows:
Data Controller: the entity that determines the purposes, conditions and means of the processing of personal data.
Data Processor: the entity that processes data on behalf of the Data Controller.
Data Subject: a natural person whose data is processed by a Data Controller or Processor.
Enterprise: any entity engaged in economic activity regardless of legal form, including persons, partnerships, associations, etc.
Processing: any operation performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
As data has become more portable in the cloud, the residency of data has struggled to keep up with its portability. Data stored physically in the data centre of one country may also be stored physically in the data centre of another and may cover information that comes from yet another country, making that data subject to the jurisdiction of three different countries. Altogether, data often has overlapping jurisdiction and separate legal requirements. For a thorough understanding of the residency of data and its jurisdiction, read our white paper called ‘Even in the Cloud: Jurisdiction Matters.’
Ultimately, the ownership of data is irrelevant as the location of the physical storage decides which country’s laws that data is subject to. While the 2014 Supreme Court ruling of Microsoft v. United States set this precedent of data sovereignty, GDPR has extended the scope of the EU’s jurisdiction.
Firstly, all data stored in a data centre that is physically located within the European Union is within GDPR jurisdiction. Likewise, any data centre in Norway, Liechtenstein, and Iceland is directly subject to GDPR.
GDPR has extended its scope beyond the data centre to include the subject of the data itself. Regardless of the geographic presence of the data centre, if the data relates to the personal information of data subjects in the EU, the data is subject to GDPR. By stating that, GDPR overrules contradictory laws from countries outside the EU unless they are based on international agreement. Since the fines are so punitive, any country that stores the data of any subjects in the EU is forced to comply.
What happens when an enterprise stores the data of EU subjects outside the EU, specifically Canada? GDPR mandates that data being exported from the EU must have safeguards in place to ensure it is stored in a compliant manner. There are several ways those safeguards can manifest.
Countries can be deemed to have an adequate level of protection under their own laws which would allow for the transfer of personal data to that country. There are a few countries that have been granted an Adequacy Decision by the European Commission. GDPR has extraterritorial implications and applies to countries granted an Adequacy Decision. European data can be exported to such countries without breaking GDPR compliance. Canada has been granted an Adequacy Decision so long as the data is limited to commercial organizations. Data stored in Canada is subject to Canadian jurisdiction, and, if it relates to a European data subject, to the GDPR. If a data centre in Canada loses control and the data is backed up to a different country, the data becomes subject to the jurisdiction of that country.
The US has also been granted an Adequacy Decision, but it is limited to the Privacy Shield framework that was agreed upon by the two governments. Additionally, Andorra, Argentina, the Faroe Islands, Guernsey, Israel, the Isle of Man, New Zealand, Switzerland, and Uruguay have been granted Adequacy Decisions, all without additional agreements. This is fully subject to the decision of the European Commission. Ongoing talks are happening with Japan and South Korea to extend this Decision.
Allen Mendelsohn, an attorney specializing in internet and privacy law, says:
“The Adequacy Decision for Canada is undoubtedly beneficial for Canadian businesses, allowing for the transfer of personal data of European data subjects to Canada without the need for further contractual clauses or other additional protection mechanisms.”
GDPR differentiates between the data controller and the data processor. The data controller is the enterprise that collects the data, and the data processor is usually the cloud provider. GDPR puts most of the accountability for compliance in the hands of the data controller, although the processor remains liable in certain circumstances as well, which differentiates GDPR from the previous European data law. It is the controller enterprise that is ultimately responsible for ensuring that the way data is in accordance with GDPR taking into account the locality of the data centre.
As a Canadian cloud provider, cloud.ca is 100% Canadian owned, operated, and governed. Our customers can be certain that data stored with us will not leave Canadian jurisdiction -whether it be primary data or backups. In accordance with GDPR and previously established laws and decisions of Europe, we can store the personal data of EU subjects and will notify our customers of any possible security breach immediately. While the manner in which GDPR will come to be interpreted is still to be determined, for now, Canada is currently in compliance.
Canadian organizations processing sensitive information, notably in the field of healthcare, may need to trust that their data is stored exclusively within Canada. Read more about some of our customers, and download our white paper to learn more about jurisdiction and security.