Home Compliance Bulletins Data sovereignty in a trade war

Data sovereignty in a trade war

In the current tariff-driven trade and national security environment, the issue of sovereignty of Canada’s intellectual property assets has reared its head, on a number of levels.  Clearly, the wider issue of ownership and control of technologies developed in Canada has broad implications for Canada’s economic resilience.  However, the more narrow issue of control over the data in enabling those technologies – the issue of “data sovereignty” – is also now receiving attention.

Concerns about transborder transfers of data were identified post 9-11 – focusing on the privacy considerations raised by the US Patriot Act, passed in the follow-up to that occurrence.  In response, the federal Office of the Privacy Commissioner issued guidance to Canadian data holders and one province – Alberta – amended its private sector privacy law to address the concerns.[1]  In addition, two provinces – BC and Nova Scotia – passed legislation that could be characterized as more explicitly trade protective, restricting the processing of data held by public sector institutions to Canadian-based service providers.[2]  However none of these rules directly address the larger issue of ownership, or control over, databases containing the personal and other data of Canadians – the more explicit data sovereignty issue.

What is data sovereignty?

So it is timely to ask: what does “data sovereignty” mean, and if determined to be a critical objective, what actions are or can be available to achieve it?

In its narrowest sense, data sovereignty, or more precisely, “data localization” means restricting the ownership or control of data generated in a jurisdiction to persons residing in the jurisdiction.  In a broader characterization, the term can refer to requiring the processing of data (including simply residing on servers) within the jurisdiction, without any necessarily limiting rules regarding the ownership or control of the data – analogous to the initially enacted BC and Nova Scotia cross-border processing rules.

Currently, there are no Canadian data localization rules in the narrower sense and, with the exception of the BC and Nova Scotia public sector laws, no rules prohibit cross-border data processing.  Some personal health information laws place restrictions on cross-border (provincial and international) disclosures of data but none address cross-border processing.[3]

This environment is largely consistent with the existing CUSMA/USMCA rules – explicitly protecting the free flow of information across borders and prohibiting data localization requirements, all of which are subject to “legitimate public policy” objectives.  However, the environment may be changing.  Under the new US Data Security Program, established by the Biden administration and moved forward under the Trump administration, rules protecting the access to bulk databases holding personal information deemed sensitive for national security reasons by designated foreign government and other actors (“adversaries”) may be subject to restriction or prohibition.[4]  In other words, the US has identified large databases as a potentially qualifying for protection for national security interests and prohibition from export.

What are the current rules?

In the context of these new concerns about data sovereignty it is useful to examine more closely the current rules such as they are that limit or restrict transfers of personal data outside Canada.

Quebec’s Law 25 provides the only comprehensive restrictions on cross-border transfers of personal data currently in place in any Canadian jurisdiction.  The law is similar to the GDPR cross-border transfer rule in that it requires satisfaction of the criterion of protection of data in the non-Quebec jurisdiction equivalent to that provided for under Quebec law.  Determination of whether such equivalent protection exists must be carried out by way of a privacy impact assessment addressing: the sensitivity of the information communicated, the purposes for which it will be used, the safeguards, including contractual, that will apply to it, and the legal regime applicable in the receiving jurisdiction.  In addition, appropriate privacy and security contract provisions must be put in place between the Quebec entity and the non-Quebec data recipient or service provider.

While clearly requiring a rigorous determination of the protection provided by the foreign jurisdiction, the Quebec rule remains focused on the privacy issue – meaning protection of the relevant data against unauthorized use in accordance with the rules provided by the domestic law.  This is not per se a “data sovereignty” rule in either the narrow or broader category mentioned above – it does not address the ownership/control of data, nor the localization of data processing.  However, to the extent that the law is focused on safeguarding Quebec residents’ data against unauthorized uses, it may be considered broadly “nationalist” in its objectives.

The only Canadian laws that have directly addressed data localization were the original BC and Nova Scotia public sector data processing rules, which required domestic processing, subject only to limited exceptions in particular consent by the data subject (likely impractical to obtain).  BC amended its law in 2021 to simply require a privacy impact assessment for cross-border processing, aligning it in a general sense with the Quebec rule but without that law’s prescriptive provisions.[5]  The original Nova Scotia rule continues in place.  In sum, Nova Scotia’s is the only current rule that may be considered requiring localization of processing.

Bill C-27, which was before Parliament prior to the recent election with the objective of providing for a modern updated private sector privacy law, included no cross-border transfer restrictions or any provisions requiring data localization.  The proposed Consumer Privacy Protection Act did include more explicit provisions requiring contractual protections for data transferred to service providers, including offshore providers.  It remains to be seen whether, in the current trade conflict environment, a re-introduced bill will include provisions addressing cross-border transfers in line with the Quebec rule or otherwise.

How could enhanced rules address data sovereignty?

How might the existing rules addressing cross-border transfers and data localization be expanded if sovereignty or enhanced protections for databases is considered a desirable policy goal?

As indicated above, the rationales reflected in the current rules are primarily privacy protection and, for a limited scope, protection for domestic processing providers.  However broader “data sovereignty” objectives might include limiting foreign entities’ use of Canadians’ data for economic gain or, more explicitly, stating that such data represents a valuable national asset that for both economic and security reasons must be owned by Canadians.  An example might be restricting or prohibiting the exploitation of Canadian health data for training artificial intelligence systems, research, or marketing purposes by offshore medical database providers, designating such data as a valuable national asset.

While data ownership rules, or rules limiting foreign use of domestic data, could provide the clearest and most straightforward stipulation for data sovereignty, such provisions may be considered a step too far in the global trade environment.  Furthermore, they may not address the real “elephant in the room” of offshore data processing (e.g. cloud storage) – which is distinct from data ownership.  Simply put, an offshore data processing provider does not own the data it holds and, unless authorized explicitly by the data owner, does not have the right to use it for its own purposes.

An alternative strategy could see establishing rules that, while permitting offshore data processing, would focus on enhancing protections against unauthorized access by foreign actors, including government.  Such provisions would require organizations to meet not only the current Quebec Law 25 requirements but also to have enhanced protections that clearly respond to a data sovereignty goal.  For example, database owners could be required to maintain a full back-up on domestic resident servers, provided by an entity outside the control of the offshore company – thus ensuring continued access in the face of any foreign government initiatives to seize or restrict use of the data.

A further requirement could provide for stipulated protective rules in all service provider contracts, analogous to the GDPR’s Standard Contractual Clauses.[6]  While such protective contractual provisions might not prevent a foreign state actor enabled by law to seek access, they would as a minimum require the offshore provider to assist in opposing access by all available means.

These provisions could be strengthened by explicit prohibitions against unauthorized access, enforced by severe financial penalties imposed on the offshore provider in the event of breach – at the levels under the EU’s General Data Protection Regulation or Quebec’s Law 25 (e.g. the higher of $25 million or 4% of worldwide gross revenues).  It has been suggested that including such provisions in a statute may provide a “blocking” rule that would lead a foreign court to determine that the data should not be disclosed.[7]

Summary and Conclusions

There are many aspects to the issue of data sovereignty in the context of a trade war.  In its narrowest sense, the precept means establishing domestic Canadian authority over the data – meaning primarily the personal information – of Canadians.  One can argue that such data represents an asset of national interest and therefore should be subject to restrictions, analogous to other assets of national importance that are protected by foreign investment review legislation.  In this sense, data sovereignty means ownership, or at least protections establishing pre-eminent rights to use such data for Canadian resident organizations.  Whether establishing such rights in the trade conflict environment becomes policy remains to be determined.[8]

However, irrespective of the ownership issue is the broader issue of control over, and protections for, data held in foreign databases, which as a rule hold the data as a service to the data owner, without any right to use it for their own purposes.  In this regard, Canada has made halting steps, primarily through privacy legislation, to ensure that such data is protected for the purposes for which it was provided (by the relevant users, i.e. individuals).  An initial data sovereignty strategy which could garner broad-based support would see enhancing such protections through the privacy lens.  Quebec’s Law 25 represents the current salient example of such a strategy.  Overlaid on such a strategy could be controls restricting uses of the data, potentially addressing the more explicit sovereignty considerations, discussed above.

As noted in the discussion, most of the current propositions for data localization revolve around privacy.  However, one still may ask whether if the real objective is a national, sovereign interest over Canadians’ data, responding to that objective under the privacy guise fails to address the issue directly.

For more information please contact:      David Young       416-968-6286     david@davidyounglaw.ca

Note:    The foregoing does not constitute legal advice. © David Young

Read the PDF: Data sovereignty in a trade war

[1] Guidelines for processing personal data across borders, OPC, Jan. 27, 2009; Alberta Personal Information Protection Act, s. 33.-

[2] BC Personal Information Protection Act, s. 13.1; Personal Information International Disclosure Protection Act, NS Statutes 2006, c. 3.  It should be noted that Quebec’s Private Sector Privacy Act, RSQ c. P-39.1, s. 17, adopted in 1993, contained a cross-border rule, requiring the data holder to ensure that personal information transferred outside the province only be used for the same purposes for which it was collected.

[3] See, for example, Ontario Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, s. 50; Personal Health Information Act, SNL 2008, c. P-7.01.

[4] Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, Executive Order, Feb. 28, 2024.

[5] See: Personal Information Disclosure for Storage Outside of Canada Regulation, BC Reg. 294/2021.

[6] See: EU Standard Contractual Clauses, European Commission Guidance Document.

[7] Beware, Donald Trump might go after Canadians’ health data next, Michael Geist and Kumanan Wilson, The Globe and Mail, Feb. 28, 2025.

[8] A separate issue – not directly addressed in this article – is the ownership of personal data in databases generated through direct collection by (primarily online) organizations such as Facebook and Google.  However one might contemplate a data sovereignty approach also to that data, such as a Canadian localization requirement.