Image for Data Localization: Do You Know Where Your Data Is?
Avatar image of Jesse Schooff

Data Localization: Do You Know Where Your Data Is?

Jesse Schooff explores why laws to keep citizens' data in their country of residence can be both a win and a loss for privacy.

In our online world, data is either moving, or sitting still. When it’s moving (in transport), we can use TLS-based encryption (like HTTPS) to be relatively certain that our data is secure and private.


Data sitting still can be vulnerable, especially when it’s stored unencrypted. The administrators of big networks like Facebook, Google, Twitter, and others work hard to keep malicious hackers – who want access to your data – out of their servers. For the most part, those big providers do a pretty good job. But hackers aren’t the only ones who want to access your stored data, and big networks will often let in prying eyes through the front door.

If, like me, you’re not a citizen of the United States, you might be concerned about how much of your personal data is stored on servers in the US. That’s because, when stored in the U.S.A., the privacy of your data is subject to U.S. law, where Canadians have next to nothing in the way of privacy rights. If American law enforcement or intelligence agents come knocking at an American tech company, looking to snoop on your data, there’s not much that you can do about it. 

Likewise, if a service or hosting provider has agreements with data brokers – for-profit enterprises which specialize in building databases of “potential customers” – your private data might be legally sold off.

Concern over such scenarios has prompted some Canadian provinces to enact data localization laws, which state that certain information of Canadian citizens must be stored in Canada (and thus, subject to the laws thereof). For example, here in my home province of British Columbia, laws prevent public institutions such as schools, hospitals, or public utilities from using providers outside Canada to store the information of private citizens. There’s a similar law in Nova Scotia. This might sound like a great win for Canadian data privacy. Unfortunately, the issue of data localization is a lot more complicated upon closer inspection.

First and foremost, the Americans have come to characterize Canadian data localization laws as an unfair trade barrier. This is because such laws make it impossible for US hosting companies to bid for certain Canadian business. The Trans-Pacific Partnership trade agreement was written with provisions to make data localization laws illegal. While the TPP’s future is uncertain, it’s clear that the US sees themselves hard-done by Canadian localization laws, and likely plan to bring the issue up at any renegotiation of NAFTA. When Canada’s biggest trading partner says there’s a trade issue, you can bet politicians will think twice about data localization laws.

There’s another potential problem: Countries with less-than-stellar human rights records are passing their own data localization laws. By way of example, in fall of 2016, Russia told ISPs to block professional networking site LinkedIn for flouting Russian data localization laws. While localization laws in Canada and the EU could be a boon for citizen privacy, they could be the exact opposite in places where state surveillance has been highly normalized, and particularly where LGBT-identified persons face persecution under the law. 

It’s extraordinarily difficult for democracies to claim the moral high ground and criticize authoritarian regimes when democracies engage in similar kinds of tactics. So, instead of a “Do as I say, but not as I do” approach, what if democracies collaborated to make sure that their citizens’ data was protected, not just within their own borders, but within their allies’ borders as well? 

One of the ways that we can help encourage this approach is to support cross-border data protection. As aforementioned, Canadians currently have next to zero protection for their personal data when it’s shared with U.S. authorities. Canada’s Privacy Commissioner has urged our government to ask their American counterparts for basic privacy protection for Canadian citizens’ data under U.S. law, the same basic protection that the citizens of many European nations already enjoy. By adding your name to our petition, you’ll be telling Canadian lawmakers that this issue is important to you.

It’s 2017 – do you know where your data is?


Jesse Schooff is a veteran IT professional and technical communicator. As a volunteer blogger for OpenMedia he specializes in issues of privacy and information security. You can find more of his writing at geekman.ca



Take action now! Sign up to be in the loop Donate to support our work