When discussing data sovereignty or data residency we are referring to the concept that data is subject to the laws of the country in which it is located. Data sovereignty became a growing concern for many local companies as a reaction to the USA PATRIOT Act that was signed into law in 2001.
Under the Act, U.S. officials could potentially access information about citizens of other countries, including Canada, if that information is physically stored within the US or accessible electronically on the servers of a US headquartered company, regardless of where that company stores their servers. This grants the U.S. government certain rights to access information as part of anti-terrorism, money laundering investigations, and they can also issue an order prohibiting provider from notifying you that your data is being accessed.
As a result of this Act and other privacy concerns, certain Canadian organizations are required by law to keep their data within Canada’s borders. Many others though, have no legal constraints but do have other concerns about storing data outside of Canada and the enforcement of privacy regulations.
Concerns over data sovereignty while often misguided, have been heard and in turn many companies have taken steps to improve our privacy. Transparency reports have been published by many companies (like Google, Microsoft, etc.) to shed light on how frequently and under what authority governments have requested data or records and in which time period. Microsoft in particular, has been very active in fighting for data protection on behalf of its partners and customers (see Microsoft’s Privacy Principles). In Microsoft’s recent transparency report it was clear that only a fraction of a percent of users are affected by government orders (see Microsoft’s Transparency).
With all things considered, for most private sector organizations the decision to use foreign IT service providers to store or manage data, should be made according to the specific industry regulations that are in place and applicable to your case (see PIPEDA). For example, federally regulated industries such as airlines, banking, broadcasting and health care institutions will have more stringent regulations in place, since personal information is transacted. Since 2004, any organization that collects personal information in the course of commercial activity is covered by PIPEDA. Companies should also consult their provincial legislation to ensure compliance.
For most Canadian small and medium businesses, storing your email server or everyday business documents in cloud services offered by US companies (Office 365, Google Apps, Dropbox, etc) would not make a difference in terms of privacy. The main reason why numerous businesses do decide to adopt cloud services into their business model has to do with the cost savings gained from outsourcing internal processes, and the access to a broad range of service providers to address specific IT needs.