As companies are getting more and more technologically advanced, some in-house lawyers may ask themselves, “Where in the world is our company’s data stored?”
Data residency specifically refers to the physical or geographic location of an organization’s data including personal data of its customers. Types of data may include: personally identifiable information or PII, credit card data, or just company information. As organizations are becoming more versatile and cross border in their business affairs, data storage is becoming just as complicated. Most organizations outsource to service providers to manage their data residency and data storage requirements without knowing where the data is being stored. Many industry and governmental security and data protection regulations and laws include specific requirements regarding where data can and must be kept.
In Canada, there are a number of federal and provincial key pieces of legislation and regulators that govern the collection, use and storage of data such as the Personal Information Protection and Electronic Documents Act, which is the federal privacy law for private-sector organizations or the Office of the Privacy Commissioner.
In the United States, there are a number of cross-functional federal and state-specific laws that govern the collection, use and disclosure of data collected by public and private companies and government agencies. Most organizations have U.S. and Canadian operations and, sometimes, these organizations do not have end-to-end visibility and control that the cloud-computing resources they are using to store their data is entirely resident in Canada. This is especially relevant to companies that have policies with requirements within laws such as PIPEDA or are concerned about the U.S. Patriot Act. In the United States (or for U.S. companies doing business outside of the U.S.), the Patriot Act grants government and law enforcement agencies the ability to search data retained by service providers. The Canadian and provincial privacy laws (including PIPEDA) are in conflict with the Patriot Act, and Canadian companies looking to store private data in the U.S. would be subject to adherence.
The European Union will also be cracking down hard with the new European Union’s General Data Protection Regulation (Regulation (EU) 2016/679), coming into force on May 25, 2018, which will be automatically binding on all national governments within the EU. The intention of the European Parliament, the Council of the European Union and the European Commission is to strengthen and unify data protection for all individuals within the EU. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international businesses within the EU or outside of the EU. The scope of the EU GDPR extends to all foreign companies processing data of EU residents. Any breach or non-compliance of these new laws will lead to severe penalties of up to two per cent of the organization’s worldwide turnover.
Most recently, data residency has been at the discussion table between the Donald Trump and Justin Trudeau administrations at the NAFTA talks. The U.S. has challenged the data storage laws of British Columbia and Nova Scotia, saying they do not align with the United States in that they allow personal information collected by governments, such as health records, to be stored on domestic servers to prevent it from being accessed for reasons other than those for which it was collected. In negotiating objectives, the Office of the United States Trade Representative said it wanted to “establish rules to ensure that NAFTA countries do not impose measures that restrict cross-border data flows and do not require the use or installation of local computing facilities.” The Patriot Act was an Act of Congress that was signed into law by then-president George W. Bush on Oct. 26, 2001, just after 9/11, to help fight terrorism by allowing the U.S. intelligence office to view and inspect any data being stored in the U.S.
In-house counsel should take a look at their company’s internal policies and procedures regarding data residency and also carefully examine where their technology service providers or vendors are housing or storing the organization’s data or the data of the organization’s customers. In-house counsel should also consider taking a deep dive into the appropriate laws of the state, province or country to ensure compliance with all data storage and privacy laws.