The issue of hosting personal data is becoming increasingly important for Quebec companies, in a context marked by stricter regulatory requirements and heightened customer awareness of the need to protect their information. While data localization is not a legal obligation, it can nevertheless have concrete implications in terms of compliance, trust and corporate strategy.
Understanding legal obligations: Law 25 and beyond
Coming into force progressively from 2022, Bill 25 imposes new requirements on companies that collect, hold or process personal information in Quebec.
These obligations include
- obtain free and informed consent for any collection or use of personal data
- designate a person responsible for the protection of personal information
- document the security measures put in place
- be able to demonstrate compliance in the event of an audit.
The law does not explicitly stipulate that data must be hosted in Canada. However, it does require organizations to ensure that any transfer of data outside Quebec (or Canada) does not reduce the level of protection afforded to data subjects.
Local hosting: what are the advantages?
Opting to host your data in Canada, or even in Quebec, can meet a number of considerations. Working with a provider who is subject to Canadian laws such as Bill 25 or PIPEDA (the legislation that governs the management of personal data in Canada’s private sector) can facilitate regulatory compliance. In addition, some customers require data to be stored in Canada to meet their own contractual requirements. On the other hand, some companies prefer a local supplier for strategic reasons, such as sovereignty, proximity or support for Quebec’s digital economy.
However, other criteria such as performance or security depend less on geographical location than on the quality of the infrastructure, contractual guarantees and technical measures in place, notably data encryption or redundancy.
What US regulations say (and don’t say)
Hosting data in the U.S. can raise a number of concerns, particularly in relation to the Patriot Act, which allows U.S. authorities to access data hosted in the U.S. under certain conditions.
This situation does not in itself constitute a breach of Canadian law, but it may conflict with the obligation to adequately protect personal information. For sensitive sectors or strategic data, this type of hosting therefore requires a rigorous risk assessment and the implementation of compensatory measures to protect against commercial espionage.
Localization = compliance? Not always.
It’s important to make a clear distinction between the location of data and its level of protection. Data hosted in Canada is not necessarily more secure than data hosted elsewhere: it all depends on the service provider, its practices and the controls in place.
Similarly, local hosting does not absolve a company of its obligations in terms of governance, traceability or consent. In conclusion, there is no single answer. At TechNuCom, we believe it’s essential to ask the right questions and surround ourselves with the right tools to answer them. We host our customers’ data in Quebec, Ontario, the USA, France, Belgium, Germany and Ireland. Each organization needs to analyze its priorities, the characteristics of its data, its regulatory obligations and the budget it is prepared to devote to it, in order to define a coherent approach.
