The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/1544922
FEATURE CROSS EXAMINED 8 www.canadianlawyermag.com DATA SOVEREIGNTY REACHES THE C-SUITE Imran Ahmad, who heads Norton Rose Fulbright Canada's tech group, says cross-border data flows are facing increased scrutiny CANADIAN COMPANIES are no longer treating data localization as a niche compli- ance task; they are treating it as a strategic choice that affects their exposure to foreign laws and national security risk and ensures operational resilience, says Imran Ahmad, a senior partner at Norton Rose Fulbright Canada LLP and the firm's Canadian head of technology and co-head of cybersecurity and data privacy. For years, cross-border transfers sat in the background of outsourcing deals and privacy policies, handled by boilerplate language and vague assurances from global vendors. That is changing as clients ask hard questions about how statutes such as the US CLOUD Act and the Patriot Act intersect with their use of cloud and SaaS tools. Ahmad says conver- sations that once felt theoretical now trigger concrete moves to reshape where sensitive systems live. He sees the sharpest change among hospi- tals, telecoms, utilities, and other critical infrastructure players, which cannot tolerate uncertainty about who may gain access to their schematics and operational data. "For them, keeping the data within Canada became a real concern," he says, pointing to clients such as electricity distributors and generators where "these are very sensitive schematics that you don't want out there." Those organi- zations now probe whether data ever leaves Canada, how redundancy is architected, and what happens when system failures force data to cross borders. Those concerns are leading to concrete action. Ahmad describes organizations that have already taken "some steps to repa- triate, where it wasn't the case, the data into Canada," either by switching to vendors that can guarantee local hosting or by pressing existing providers to move it into Canada. Once these projects start, data location stops being a narrow IT issue and becomes part of wider governance work that maps what the organization holds, ranks it by sensitivity, and decides what must stay on Canadian soil. That governance work is no longer confined to policies that sit unread on a shelf. Organizations are finally aligning retention, deletion, and storage standards with explicit rules on jurisdiction and access, and building a more rigorous inventory of critical data sets and vendors. Regulators are reinforcing this shift. Canada has yet to replace PIPEDA, and Bill C-27 died when Parliament was prorogued. However, Ottawa cannot stand still if it wants to preserve the EU adequacy ruling that allows data to move freely between Canada and Europe. Ahmad underscores that Europeans have "been very kind to us, to put it mildly, to keep that process in place." He expects any new federal law to follow Quebec's lead, which requires organizations to conduct a privacy impact assessment before transfer- ring data outside the province. Even under existing rules, expectations around vetting foreign vendors have tight- ened. Ahmad notes that, even though our federal privacy statute is not as robust as it should be now, the Office of the Privacy Commissioner still provides guidance on data transfers. That means a Canadian organiza- tion that wants to use a foreign cloud provider "You can tier your data; you don't have to put it in one place"